Sudo Vulnerability 2021: 'Baron Samedit' Bug on Linux Gives Attackers Free Root-Level Access

A major vulnerability impacting a large chunk of the Linux ecosystem has been patched today in Sudo, an app that allows admins to delegate limited root access to other users.

As reported by ZDNet, a major vulnerability was discovered two weeks ago that impacts the Linux ecosystem tremendously. Today, the problem has been patched by an app called Sudo which permits admins in Linux to consign limited root access for other users. It was fixed with the release of the Sudo v1.9.5p2.

Sudo Vulnerability 2021: 'Baron Samedit' Bug Can Give Attackers Free Root-Level Access
Photo by Clint Patterson on Unsplash

About the "Baron Samedit" A.K.A CVE-2021-3156 Bug

The vulnerability was discovered by Qualys, a security auditing firm a few weeks ago. It received a CVE identifier in the name of CVE-2021-3156, but is more commonly referred as "Baron Samedit".

Linux Sladshot comments that there have been two other Sudo bugs that have been discovered in the past two years. However, this recent one is considered as the most dangerous.

The former bugs CVE-2019-14287 also known as the -1 UID bug and the CVE-2019-18634 also known as the pwfeedback bug were harmful but they were difficult to exploit. This is because they require complex processes in sudo setups to configure. On the other hand, the newest one is pretty simple compared to the other two.

Sudo Fixes 'Baron Samedit' Bug with the Help of Qualys Security Advisory Team

Sudo has released an explanation on their official website what the Baron Samedit bug can do to accounts. It reportedly allows an attacker from low-privileged accounts to exploit such a tool in order to gain root access. The attacker can do so even if he/she is not listed to a configuration file called /etc/sudoers. The file is a list of users who are permitted to access the su or sudo commands.

Now Sudo has prohibited this by fixing the bug, thanks to the reports coming from Qualys Security Advisory team. In a detailed description, Sudo describes how the bug is exploitable.

"When sudo runs a command in shell mode, either via the -s or -i command line option, it escapes special characters in the command's arguments with a backslash. The sudoers policy plugin will then remove the escape characters from the arguments before evaluating the sudoers policy (which doesn't expect the escape characters) if the command is being run in shell mode."

Moreover, Sudo adds that in most cases, these bugs are harmless. However, since it is a different bug this time being in the command line parsing code, running the sudoedit with either the -s or -is is possible. This will then enable shell mode.

"Because a command is not actually being run, sudo does not escape special characters. Finally, the code that decides whether to remove the escape characters did not check whether a command is actually being run, just that the shell flag is set. This inconsistency is what makes the bug exploitable," they added.

How to Check if Your Sudo Version is Vulnerable

Thankfully, Sudo has already fixed this problem for the Linux ecosystem. It can be found in sudo 1.9.5p2. Sudo added that if users want to check if their version of Sudo is vulnerable, they can key in the following commands to check:

sudoedit -s '' 'perl -e 'print "A" x 65536''

Ideally, you should receive a usage or error message. This indicated that your version of Sudo is not vulnerable. On the other hand, if the result that arises is a Segmentation for, then you can expect that your Sudo version is indeed vulnerable.

Sudo's update should be applied as early as possible to prevent malicious acts by attackers. If you need to know more technical information about checking your Sudo status, you can check The Qualys advisory.

This article is owned by Techtimes

Written by Nikki D

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics