Apple fixes serious sudo vulnerability in macOS
A serious vulnerability was recently discovered in the sudo tool which could be used to gain root access on Linux-based systems. It soon transpired that the very same issue also affects macOS.
The security vulnerability -- known as Baron Samedit and tracked as CVE-2021-3156 -- is a years-old heap-based buffer overflow bug, and Apple has now issued a patch that fixes the problem for users of Big Sur, Catalina and Mojave flavors of macOS.
See also:
- Sudo vulnerability could give attackers root access on Linux systems
- Linux sudo vulnerability also affects macOS
- Apple blocks sideloading of iOS apps on M1 Macs
Yesterday, the company released macOS Big Sur 11.2.1, macOS Catalina 10.15.7 Supplemental Update, and macOS Mojave 10.14.6 Security Update 2021-002. In addition to fixing two security issues relating to Intel graphic drivers in Big Sur and Catalina, the updates also fix the sudo flaw.
In a support document about the update, Apple lists the three problems the updates address:
Intel Graphics Driver
Available for: macOS Big Sur 11.2, macOS Catalina 10.15.7
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: An out-of-bounds write was addressed with improved input validation.
CVE-2021-1805: ABC Research s.r.o. working with Trend Micro Zero Day Initiative
Intel Graphics Driver
Available for: macOS Big Sur 11.2, macOS Catalina 10.15.7
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A race condition was addressed with additional validation.
CVE-2021-1806: ABC Research s.r.o. working with Trend Micro Zero Day Initiative
Sudo
Available for: macOS Big Sur 11.2, macOS Catalina 10.15.7, macOS Mojave 10.14.6
Impact: A local attacker may be able to elevate their privileges
Description: This issue was addressed by updating to sudo version 1.9.5p2.
CVE-2021-3156: Qualys
All macOS users are advised to check for and install the updates as soon as possible.
Image credit: Alberto Garcia Guillen / Shutterstock