Apple fixes serious sudo vulnerability in macOS

Apple logo and padlock

A serious vulnerability was recently discovered in the sudo tool which could be used to gain root access on Linux-based systems. It soon transpired that the very same issue also affects macOS.

The security vulnerability -- known as Baron Samedit and tracked as CVE-2021-3156 -- is a years-old heap-based buffer overflow bug, and Apple has now issued a patch that fixes the problem for users of Big Sur, Catalina and Mojave flavors of macOS.

See also:

Advertisement

Yesterday, the company released macOS Big Sur 11.2.1, macOS Catalina 10.15.7 Supplemental Update, and macOS Mojave 10.14.6 Security Update 2021-002. In addition to fixing two security issues relating to Intel graphic drivers in Big Sur and Catalina, the updates also fix the sudo flaw.

In a support document about the update, Apple lists the three problems the updates address:

Intel Graphics Driver

Available for: macOS Big Sur 11.2, macOS Catalina 10.15.7

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write was addressed with improved input validation.

CVE-2021-1805: ABC Research s.r.o. working with Trend Micro Zero Day Initiative

Intel Graphics Driver

Available for: macOS Big Sur 11.2, macOS Catalina 10.15.7

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with additional validation.

CVE-2021-1806: ABC Research s.r.o. working with Trend Micro Zero Day Initiative

Sudo

Available for: macOS Big Sur 11.2, macOS Catalina 10.15.7, macOS Mojave 10.14.6

Impact: A local attacker may be able to elevate their privileges

Description: This issue was addressed by updating to sudo version 1.9.5p2.

CVE-2021-3156: Qualys

All macOS users are advised to check for and install the updates as soon as possible.

Image credit: Alberto Garcia Guillen / Shutterstock

Comments are closed.

© 1998-2021 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.