10-year old security vulnerability in sudo fixed (CVE-2021-3156)

  • Thread starter Thread starter Wrichik Basu
  • Start date Start date
  • Tags Tags
    Security
Click For Summary

Discussion Overview

The discussion centers around the recently discovered CVE-2021-3156 vulnerability in the sudo command, which allows privilege escalation to root via a specific command-line argument. Participants explore the implications of this vulnerability across different operating systems, including Linux and macOS, and discuss the necessity of updates and the nature of user privileges in Windows Subsystem for Linux (WSL).

Discussion Character

  • Technical explanation
  • Debate/contested
  • Exploratory

Main Points Raised

  • Some participants describe the vulnerability as a heap-based buffer overflow that can be exploited through the sudoedit command.
  • Others mention that the vulnerability affects WSL on Windows, raising concerns about user privileges in that environment.
  • A participant references historical vulnerabilities, suggesting parallels with past security issues, including those described in "The Cuckoo's Egg."
  • There is a claim that the vulnerability does not pose a material threat to personal Linux users due to the difficulty of accessing a normal user session for exploitation.
  • Some participants debate whether WSL sessions run with sudo privileges by default, with conflicting views on the nature of user accounts in WSL.
  • A later reply points out that the vulnerability also affects macOS, suggesting it was likely inevitable given the nature of the bug.
  • One participant expresses skepticism about the level of concern surrounding the vulnerability, arguing that it may distract from more pressing security threats.

Areas of Agreement / Disagreement

Participants express differing views on the implications and severity of the vulnerability, particularly regarding its impact on personal users versus IT departments. There is no consensus on whether WSL runs with sudo privileges by default, and the discussion remains unresolved on this point.

Contextual Notes

Some statements rely on assumptions about user privileges in WSL and the nature of the vulnerability's threat level, which may vary based on specific configurations and user practices.

Wrichik Basu
Science Advisor
Insights Author
Gold Member
Messages
2,186
Reaction score
2,694
TL;DR
There was a serious vulnerability in Linux sudo command which, if exploited, allowed any user to gain root privileges on any machine.
There was a Heap-based Buffer Overflow, allowing privilege escalation to root via sudoedit -s and a command-line argument that ends with a single backslash character.

The vulnerability was discovered earlier this month by researchers at Qualys and reported to the developers. Check out their blog for details. The blog post also has a video demonstrating the vulnerability:



According to this website, you can check whether your system is vulnerable in the following way:
Another way to determine if your systems are vulnerable is to run a command such as sudoedit -s /. If the command returns a usage statement, your system is OK. If it returns an error starting with sudoedit, you need the patch.
In Ubuntu, the patched sudo version depends on the version of the OS you are running. See this page for details.

Make sure you update your computer(s) if you are running Linux!
 
Computer science news on Phys.org
This applies to WSL on Windows too! Yikes!

Jedi

-----------------------------------------

The real classic vulnerability was described in the Cuckoo's Egg book by Cliff Stoll where the hacker used a trick of editing a file remotely, disconnecting, and signing back on again.

https://en.wikipedia.org/wiki/The_Cuckoo's_Egg_(book)

and the spy

https://en.wikipedia.org/wiki/Markus_Hess

The trick was prior to that action he had created a script file called bin and had replaced the / character in an environment parameter with a space character.

When the VI editor went to save the file during the disconnect it would use superuser mode to save it with permissions for the specific user acct that was editing it and send an email to that user indicating where the file could be found in the /tmp directory.

Vi would call "/bin/mail" but the environment change meant it called "bin mail" and so whatever commands he placed in the bin command would be executed in superuser mode and so he created his own superuser acct via that route.

-------------------

Another classic vulnerability was when Unix allowed admins to send its source code which it would compile and save in the /bin or /usr/bin directories.

You can imagine the fun hackers had with this feature. I think the Morris worm used it way back when.

https://en.wikipedia.org/wiki/Morris_worm
 
  • Skeptical
  • Like
  • Wow
Likes   Reactions: pbuk, berkeman and Wrichik Basu
Wrichik Basu said:
Summary:: There was a serious vulnerability in Linux sudo command which, if exploited, allowed any user to gain root privileges on any machine.

...

Make sure you update your computer(s) if you are running Linux!
Well yes, you should always keep your OS up to date, but this vulnerability is not a material threat to anyone using Linux on their personal computer because there is no way an attacker can access a normal user session in order to be able to escalate it using the vulnerable sudoedit.

jedishrfu said:
This applies to WSL on Windows too! Yikes!
Doesn't every WSL session run with sudo privileges anyway?
 
  • Like
Likes   Reactions: Wrichik Basu
No ubuntu WSL does not run with sudo privileges by default - 16.04 ubuntu, windows 10 build 19041 on my box. The bug is not invoked with the 'sudoedit -s /' command. From what was said it appears that WSL must have been patched to fix the bug. Never tried that command until now.
 
jim mcnamara said:
No ubuntu WSL does not run with sudo privileges by default - 16.04 ubuntu, windows 10 build 19041 on my box.

Really? How do you do anything with it then? From https://docs.microsoft.com/en-us/windows/wsl/user-support:
Once you have enabled WSL and installed a Linux distribution from the Microsoft Store, the first step you will be asked to complete when opening your newly installed Linux distribution is to create an account, including a User Name and Password.
  • This User Name and Password is specific to each separate Linux distribution that you install and has no bearing on your Windows user name.
  • Once you create a User Name and Password, the account will be your default user for the distribution and automatically sign-in on launch.
  • This account will be considered the Linux administrator, with the ability to run sudo (Super User Do) administrative commands.

jim mcnamara said:
From what was said it appears that WSL must have been patched to fix the bug.
Isn't the bug in the the Linux distro itself rather than WSL so it will have been fixed if you have done sudo apt update, or maybe unattended-upgrades is enabled by default?
 
Updates are enabled, yes. And if sudo privs were obtained via sudo "at login" or instantiation of the WSL object then
Code: 
su root  #or another name
would not cause a sudo prompt. Try it. Are we talking past each other? Or do I fail to understand some basic tenet of sudo? Too much HP-UX...
 
jim mcnamara said:
Are we talking past each other?
Yes I think we must be :smile:
 
jedishrfu said:
in yet another twist, it affects macos too:

https://www.zdnet.com/article/recent-root-giving-sudo-bug-also-impacts-macos/#ftag=RSSbaffb68
Its difficult to see that as a 'twist', it was pretty much inevitable (unless Apple had found the bug sometime in the last 10 years since it was introduced, forked sudo, patched the code to fix the bug and not told anyone about it: this would be antisocial behavior even for Apple).

But it is still only something for IT departments to worry about, the 'OMG' reactions here are the result of a cognitive bias* that is out of place in a forum with a scientific basis. There are plenty of real threats to individuals' data security to worry about (for example phishing and social engineering); inflating concern about a non-material threat is only good for increasing clicks on media sites and diverting attention away from malicious activity.

* I can't remember the term for this specific bias (exaggerating the importance of threats that have a complicated technical aspect) - perhaps it is just 'fear of the unknown'.
 
Last edited:

Similar threads

Ubuntu 20.04: apt upgrade installs DKMS, autoremove removes it
  • · Replies 2 ·
Replies
2
Views
3K
Popular apps have more security flaws than Windows
  • · Replies 5 ·
Replies
5
Views
3K
News End of Social Security - or a Warning?
  • · Replies 25 ·
Replies
25
Views
5K
MHB Computer Information System Program
  • · Replies 5 ·
Replies
5
Views
4K
Requesting suggestions for languages, libraries, and architectures for parallel (and sometimes non parallel) numerical and scientific computations
  • · Replies 8 ·
Replies
8
Views
4K
Graduate BRS: PKI Cryptosystems for SA/Ms: A Tutorial
  • · Replies 13 ·
Replies
13
Views
4K
News Patriot Act 2: Summarized by Alex Jones
  • · Replies 10 ·
Replies
10
Views
4K
Mathematica This Week's Finds in Mathematical Physics (Week 226)
  • · Replies 7 ·
Replies
7
Views
4K
Mathematica This Week's Finds in Mathematical Physics (Week 226)
  • · Replies 7 ·
Replies
7
Views
4K
Mathematica This Week's Finds in Mathematical Physics (Week 257)
  • · Replies 5 ·
Replies
5
Views
5K