A major vulnerability that affects much of the Linux ecosystem has been patched today in Sudo, an app that allows administrators to delegate limited root access to other users.
Vulnerability, which received a CVE identifier for CVE-2021-3156, but is better known as “Baron Samedit, “ was discovered by the security audit firm Qualys two weeks ago and was patched earlier today with the release of Sudo v1
In a simple explanation given by the Sudo team today, the Baron Samedit error can be exploited by an attacker who has gained access to a low privileged account to gain root access, even if the account is not listed in / etc / sudoers – a configuration file that controls which users are accessed su or sudo commands initially.
For technical details behind this error, see the Qualys report or video below.
While two other Sudo security flaws have been revealed in the last two years, the flaw revealed today is the one considered the most dangerous of all three.
The two previous bugs, CVE-2019-14287 (known as -1 UID bug) and CVE-2019-18634 (known as pwfeedback bug), were difficult to exploit because they required complex and non-standard sudo layouts.
Things are different for the bug that is revealed today, as Qualys said affects all Sudo installations where the sudoers file (/ etc / sudoers) is present – which is usually found in most standard Linux + Sudo installations.
Make matters worse, the bug also has a long tail. Qualys said the bug was introduced in the Sudo Code back in July 2011, effectively affecting all sudo versions released in the last ten years.
The Qualys team said they were able to independently verify the vulnerability and develop several exploit variants for Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27) and Fedora 33 (Sudo 1.9.2).
“Other operating systems and deployments are also likely to be exploited,” the security firm said.
All in all, the Baron Samedit vulnerabilities are one of the rare Sudo security flaws that can also succeed with real-world weapons, compared to the previous two flaws that were revealed in previous years.
Qualys told ZDNet that if botnet operators have low-level brute-force service accounts, the vulnerability could be exploited in the second phase of an attack to help intruders gain root access and full control over a hacked server.
And as ZDNet reported on Monday, these types of botnets targeting Linux systems through brute-force attacks are quite common these days.
Today’s Sudo update should be used as soon as possible to avoid unwanted surprises from both botnet operators or malicious insiders (junk employees).