Sudo vulnerability could give attackers root access on Linux systems

4 Comments
Sudo

Security researchers have revealed details of a vulnerability in Sudo that could be exploited by an attacker to gain root privileges on a wide range of Linux-based systems.

News of the security flaw was shared by Qualys, and it has been described as "perhaps the most significant sudo vulnerability in recent memory". Worryingly, the heap-based buffer overflow bug has existed for almost a decade. It is known as Baron Samedit, tracked as CVE-2021-3156, and affects various versions of Sudo.

See also:

Vulnerable versions of Sudo are legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1, assuming configurations have not been changed. Writing about its findings, Qualys says that the vulnerability "is exploitable by any local user, without authentication".

The company also says:

We developed three different exploits for this vulnerability, and obtained full root privileges on Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2). Other operating systems and distributions are probably also exploitable.

The CVE entry for the vulnerability reads:

Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.

Baron Samedit is yet to receive a severity rating in the National Vulnerability Database, but considering the ubiquity of Sudo and the ease with which the vulnerability can be exploited, it is likely to be a high rating once analysis is complete.

Patches are starting to emerge for various Linux distributions; If you're using Ubuntu, updates are available here, while updates for Red Hat can be found here.

Image credit: catris photos / Shutterstock

4 Comments

4 Responses to Sudo vulnerability could give attackers root access on Linux systems

Got News? Contact Us

Recent Headlines

Western Digital unveils new SanDisk and WD_BLACK storage solutions

Get 'Big Data on Kubernetes' for FREE and save $31.99!

Have we gotten observability backwards?

Overcoming the skills gap with robust, easy-to-use AI

Businesses not confident in their ability to detect deepfakes

Technical implementation guide: Securing Salesforce under DORA requirements

Best Windows apps this week

Most Commented Stories

What happens to Linux when Linus Torvalds dies?

24 Comments

Windows 10: Microsoft reveals how much you'll need to pay to keep receiving updates

20 Comments

Bluesky thinking -- why left-wingers are leaving X and why X will get over it

17 Comments

The Guardian’s exit from Elon Musk’s X shows a lack of journalistic courage

13 Comments

Unnecessary replacement of hardware leads to higher costs and growing waste problem

9 Comments

Tech leaders congratulate Donald Trump on 2024 election victory

8 Comments

Frustrated with Windows 11? The stunning Nitrux Linux 3.7.1 is the OS you deserve

7 Comments

Apple launches new compact Mac mini with M4 and M4 Pro chips

7 Comments

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.