Skip to content

Search the site

Millions affected by 10-year old bug in a Linux utility that gives root.

Full root privileges on Ubuntu 20.04, Debian 10, and Fedora 33 demonstrated.

A critical Sudo vulnerability can be used by any local user to elevate privileges to root on Linux operating systems without user authentication -- and millions of devices are currently unpatched, security researchers warned today. The bug has been sitting in the utility unspotted for 10 years.

Researchers at security firm Qualys have developed multiple variants of the exploit and obtained full root privileges on Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2). RHEL, Amazon Linux and other OSs are also affected and were unpatched as we published.

The company's not provided exploit code but it has published a detailed breakdown of the bug and a POC video, so widespread abuse is unlikely to be far behind.

Updated 10:30 GMT January 27.

Ubuntu has patched. Confirming RHEL 6, 7, and 8 are all affected (as well as OpenShift 4.4 - 4.6) Red Hat suggested that customers who cannot update immediately can do interim partial mitigation using systemtap. SUSE says SUSE Linux Enterprise Server 12 and SUSE Linux Enterprise Server 15 products are vulnerable and a patch is pending. AWS says its infrastructure is not affected and reminders customers that they have duties under a shared responsibility model. ("As a general security best practice, we recommend that Amazon EC2 customers running Amazon Linux update their operating systems to install the latest version of sudo.")

>> Follow The Stack on LinkedIn <<

Sudo is a utility included in most Unix- and Linux-based operating systems s that lets users run programmes with the security privileges of another user. The vulnerability, allocated CVE-2021-3156, was introduced in July 2011 (commit 8255ed69). All legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 in default configuration are affected.

The company's made a dashboard available to track the vulnerability,  impacted hosts, their status and overall management in real time.

Get it here.

Mehul Revankar, VP of engineering at the security firm, said: "This vulnerability (CVE-2021-3156/Baron Samedit) is perhaps the most significant sudo vulnerability in recent memory (both in terms of scope and impact) and has been hiding in plain sight for nearly 10 years.

He added: " Sudo is a near-ubiquitous utility in modern Unix-like operating systems and is available by default in most Linux systems. Thus, there are likely to be millions of assets susceptible to this vulnerability. Sudo has created a patch and security teams should apply patches immediately."

To test if a system is vulnerable or not, login to the system as a non-root user. Run command “sudoedit -s /”. If the system is vulnerable, it will respond with an error that starts with “sudoedit:” If the system is patched, it will respond with an error that starts with “usage:”

See also: This AWS API bug lets you check permissions without generating logs in CloudTrail: It’s not getting fixed.