Governance & Risk Management , IT Risk Management , Patch Management

Researchers: Beware of 10-Year-Old Linux Vulnerability

Qualys Says Flaw in Sudo Utility Could Grant Attackers Root Access
Researchers: Beware of 10-Year-Old Linux Vulnerability

A recently discovered 10-year-old bug, if exploited, could give hackers root access to vulnerable Linux and Unix operating systems, the security firm Qualys says. Security experts are urging users to immediately implement a patch to mitigate the risk.

See Also: Cyber Hygiene and Asset Management Perception vs. Reality

The vulnerability, called "Baron Samedit" by the researchers and officially tracked as CVE-2021-3156, is a heap-based buffer overflow in the Sudo utility, which is found in most Unix and Linux operating systems.

Sudo is a utility included in open-source operating systems that enables users to run programs with the security privileges of another user, which would them give them administrative – or superuser - privileges.

The bug, which appears to have been added into the Sudo source code in July 2011, was not detected until earlier this month, Qualys says.

"Qualys security researchers have been able to independently verify the vulnerability and develop multiple variants of exploits and obtain full root privileges on Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2). Other operating systems and distributions are also likely to be exploitable," the researchers say.

After Qualys notified the authors of Sudo, a patch was included in version 1.5.5p2, published this week.

Qualys and the Sudo authors are urging Linux and Unix users to immediately patch systems. Rob Joyce, who was recently named director of the National Security Agency's Cybersecurity Directorate, also flagged the alert on Twitter.

How the Bug Works

The Baron Samedit bug could be exploited by a local user even if that user isn’t listed in the sudoers file. Also, user authentication is not required to exploit the flaw, according to the notification from the Sudo authors.

The overflow happens when the out-of-bounds characters are copied to the "user args" buffer file, according to Qualys.

"Because a command is not actually being run, sudo does not escape special characters," according to the Sudo advisory. "Finally, the code that decides whether to remove the escape characters did not check whether a command is actually being run, just that the shell flag is set. This inconsistency is what makes the bug exploitable."

The Qualys researchers created a video showing three proof-of-concept attacks that could be used to exploit the vulnerability. The researchers did not say if any attacks had been spotted in the wild.

Video showing proof-of-concept attacks based on Sudo vulnerability

Roy Horev, co-founder and CTO at security firm Vulcan Cyber, says the good news about the vulnerability is that it requires a local user to start the attack. If that is successful, however, the damage to an open-source system could be extensive.

"The bad news is that the 'user to root' escalation with such ease, inside a security-oriented mechanism, is scary," Horev says. "The root is the superuser in Linux. Every user wants to escalate itself to root. In this scenario, it's very easy to make a transition that should be 100% impossible."

Targeting Linux

Other researchers have also found vulnerabilities that could affect Linux systems. Earlier this month, Intezer Labs discovered a remote access Trojan, dubbed ElectroRAT, that has been stealing cryptocurrency from digital wallets over the past year and has the ability to target multiple operating systems, including Linux (see: ElectroRAT Malware Targets Cryptocurrency Wallets).

Also, researchers at Check Point Research are tracking a new botnet called "FreakOut" that is targeting vulnerable Linux systems (see: 'FreakOut' Botnet Targets Unpatched Linux Systems).

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.