Sudo Utility Affects Apple’s MacOS and Cisco Products


The recently revealed significant security vulnerability in the Sudo utility also affects Apple’s macOS Big Sur operating system and several Cisco devices.

Tracked as CVE-2021-3156 and referred to as Baron Samedit, the concern is a buffer overflow dependent on a heap that can be abused to obtain root rights on the insecure host by unprivileged users.

The user wants to leverage “sudoedit -s” along with a command-line statement ending with a single backslash character for privilege escalation to root.

In Sudo 1.9.5p2, the vulnerability was patched.

Researchers at the cybersecurity company Qualys, who found the flaw, only checked it on some Linux distributions, such as Debian, Fedora, and Ubuntu, but cautioned that the weakness is likely to impact most Unix and Linux dependent systems. Start qualys freescan download to check vulnerablity

Apple’s MacOS Big Sur is one of the affected operating systems, according to Hacker House co-founder Matthew Hickey.

CVE-2021-3156 also affects @apple MacOS Big Sur (currently unpatched), by symlinking sudo to sudoedit and then activating the heap overflow to increase one’s privileges to 1337 uid=0,” he said on Twitter, “you may enable exploitation of the issue.

Will Dormann, a researcher with the CERT Coordination Center of Carnegie Mellon University, has reported that macOS Big Sur is still vulnerable in response to Hickey.

This week, Apple launched patches for more than 60 macOS Big Sur, Catalina, and Mojave vulnerabilities, but none of them fix the Sudo issue.

Cisco confirms that it is presently reviewing which of its products are impacted by the Baron Samedit vulnerability in an advisory released last week but revised twice since. Many goods are not contaminated and others are also under review, although it has been reported that some have been affected.

In specific, the problem affects Firepower Threat Protection (FTD), Prime Partnership Provisioning, Virtual Appliance Prime Service Catalog, On-Prem Smart Software Manager, switches of the Nexus 3000 series, switches of the Nexus 9000 series in standalone NX-OS mode, and Paging Server (InformaCast).

By accessing a Unix shell on an infected system and then invoking the sudoedit command with designed parameters or running a binary exploit, an attacker may exploit this vulnerability. A effective exploit may cause the attacker to execute root privileged commands or binaries,” the company explains.

To date, there are no signs that in live attacks, the Sudo flaw is being abused, but users are urged to submit patches for it as soon as their goods become usable.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.