search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Sudo set_cmd() is vulnerable to heap-based buffer overflow

Vulnerability Note VU#794544

Original Release Date: 2021-02-04 | Last Revised: 2021-04-26

Overview

A heap-based overflow has been discovered in the set_cmd() function in sudo, which may allow a local attacker to execute commands with elevated administrator privileges.

Description

From the Sudo Main Page:

Sudo (su "do") allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.

It is possible for a local Non-administrative user to exploit this vulnerability to elevate their privileges so that they can execute commands with administrator privileges. The team at Qualys assigned this vulnerability CVE-2021-3156 and found multiple *nix operating systems were vulnerable, including Fedora, Debian, and Ubuntu. A blog update from February 3, 2021, reports that macOS, AIX, and Solaris may be vulnerable, but Qualys had not yet confirmed this. There is additional reporting that other operating systems are affected, including Apple’s Big Sur.

Impact

If an attacker has local access to an affected machine then it is possible for them to execute commands with administrator privileges.

Solution

Apply an Update

Update sudo to the latest version to address this vulnerability when operationally feasible. This issue is resolved in sudo version 1.9.5p2. Please install this version, or a version from your distribution that has the fix applied to it

Acknowledgements

This vulnerability was researched and reported by the Qualys Research Team.

This document was written by Timur Snoke.

Vendor Information

794544
 

Cisco Affected

Notified:  2021-02-15 Updated: 2021-02-15

Statement Date:   February 15, 2021

CVE-2021-3156 Affected

Vendor Statement

Cisco is tracking this vulnerability via incident PSIRT-0750174077 .

Cisco has published a customer facing advisory here: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sudo-privesc-jan2021-qnYQfcM

it's in interim status and gets update regularly as our investigation of the product base progresses.

References

Debian GNU/Linux Affected

Updated: 2021-02-04

Statement Date:   January 26, 2021

CVE-2021-3156 Affected

Vendor Statement

We have not received a statement from the vendor.

References

F5 Networks Inc. Affected

Notified:  2021-02-04 Updated: 2021-02-05

Statement Date:   February 05, 2021

CVE-2021-3156 Affected

Vendor Statement

F5 BIG-IP and BIG-IQ products are NOT VULNERABLE to CVE-2021-3156.

F5 Traffix SDC is vulnerable.

Please see K86488846: Sudo vulnerability CVE-2021-3156 for more information.

References

Gentoo Linux Affected

Updated: 2021-02-04

Statement Date:   January 26, 2021

CVE-2021-3156 Affected

Vendor Statement

We have not received a statement from the vendor.

References

Google Affected

Notified:  2021-02-04 Updated: 2021-04-07

Statement Date:   April 06, 2021

CVE-2021-3156 Affected

Vendor Statement

We have not received a statement from the vendor.

HardenedBSD Affected

Notified:  2021-02-04 Updated: 2021-02-05

Statement Date:   February 04, 2021

CVE-2021-3156 Affected

Vendor Statement

HardenedBSD's sudo port has been updated and can be used to mitigate affected systems. Systems that have updated their sudo port/package are no longer vulnerable.

References

Joyent Affected

Notified:  2021-02-04 Updated: 2021-02-10

Statement Date:   February 10, 2021

CVE-2021-3156 Affected

Vendor Statement

SmartOS gets its sudo binary from pkgsrc(1). pkgsrc's main feed has updated sudo binaries, and one merely need pkgin upgrade in any affected SmartOS zone to get the fixed version.

Juniper Networks Affected

Notified:  2021-02-04 Updated: 2021-03-04

Statement Date:   March 04, 2021

CVE-2021-3156 Affected

Vendor Statement

Juniper SIRT has confirmed that Sudo is not supplied with JUNOS/FreeBSD, hence these are not affected.

On Juniper platforms which are hosted on Wind River Linux (WRL) instances, the WRL instance contains the vulnerable version of Sudo, but only within the WRL OS. To exploit this vulnerability on Wind River Linux (WRL), authenticated users with Junos shell access, would first need to switch to a root account and then login to WRL OS. The vulnerability is contained within the WRL instance for which the Junos user would already have root privileges.

Security Incident Response Team Juniper Networks

NetApp Affected

Updated: 2021-02-04

Statement Date:   February 03, 2021

CVE-2021-3156 Affected

Vendor Statement

We have not received a statement from the vendor.

References

Openwall GNU/*/Linux Affected

Updated: 2021-02-04

Statement Date:   January 26, 2021

CVE-2021-3156 Affected

Vendor Statement

We have not received a statement from the vendor.

References

Oracle Corporation Affected

Updated: 2021-02-04

Statement Date:   January 27, 2021

CVE-2021-3156 Affected

Vendor Statement

We have not received a statement from the vendor.

References

SUSE Linux Affected

Notified:  2021-02-04 Updated: 2021-02-05

Statement Date:   February 05, 2021

CVE-2021-3156 Affected

Vendor Statement

SUSE has already provided fixes for the affected supported products. Users should patch their systems. SUSE Linux Enterprise Server 12 and SUSE Linux Enterprise Server 15 products are affected. SUSE Linux Enterprise Server 11 products are not affected.

References

Synology Affected

Notified:  2021-02-04 Updated: 2021-02-24

Statement Date:   February 23, 2021

CVE-2021-3156 Affected

Vendor Statement

We have not received a statement from the vendor.

References

Ubuntu Affected

Updated: 2021-02-04

Statement Date:   January 26, 2021

CVE-2021-3156 Affected

Vendor Statement

We have not received a statement from the vendor.

References

Wind River Affected

Notified:  2021-02-04 Updated: 2021-02-08

Statement Date:   February 08, 2021

CVE-2021-3156 Affected

Vendor Statement

"Heap-based buffer overflow in sudo" affects the Wind River Linux product.

Android Open Source Project Not Affected

Notified:  2021-02-04 Updated: 2021-02-08

Statement Date:   February 05, 2021

CVE-2021-3156 Not Affected

Vendor Statement

Android is not impacted as it does not have SUDO.

FreeBSD Project Not Affected

Notified:  2021-02-04 Updated: 2021-02-08

Statement Date:   February 08, 2021

CVE-2021-3156 Not Affected

Vendor Statement

While the base FreeBSD installation does not include sudo and is therefore not directly affected by this vulnerability, the FreeBSD Project recognises that sudo is a very popular package for users to install on FreeBSD.

Users can install sudo on FreeBSD using ports or binary packages. The sudo port was updated to 1.9.5p2 on 2021-01-26 at 20:15:31 (main) and on 2021-01-26 20:40:57 (2021Q1 quarterly). Binary packages are available for all tier-1 supported platforms (amd64, i386, aarch64) and several tier-2 supported platforms.

Green Hills Software Not Affected

Notified:  2021-02-04 Updated: 2021-02-05

Statement Date:   February 04, 2021

CVE-2021-3156 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Illumos Not Affected

Notified:  2021-02-04 Updated: 2021-02-10

Statement Date:   February 10, 2021

CVE-2021-3156 Not Affected

Vendor Statement

illumos itself does not have sudo in its source. Illumos distros, however, do.

A NOTE: base illumos has the RBAC/profile-based pfexec(1) family of commands that are an alternative for sudo.

SmartOS: Use pkgin upgrade on any zones that have sudo installed.

OmniOSce and OpenIndiana (both use the IPS package system): Use pkg update to obtain the latest sudo if it's installed.

Dilos: Is fixed in update https://bitbucket.org/dilos/du2/commits/ca5129c54c84d7b2fd75d17e465e970435018f55 - a Debian-style update will install it.

Tribblix: If sudo is installed, zap refresh && zap update sudo

LG Electronics Not Affected

Notified:  2021-02-04 Updated: 2021-03-29

Statement Date:   March 26, 2021

CVE-2021-3156 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Microsoft Not Affected

Notified:  2021-02-04 Updated: 2021-02-15

Statement Date:   February 12, 2021

CVE-2021-3156 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Tizen Not Affected

Notified:  2021-02-04 Updated: 2021-04-05

Statement Date:   April 05, 2021

CVE-2021-3156 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Treck Not Affected

Notified:  2021-02-04 Updated: 2021-04-26

Statement Date:   April 25, 2021

CVE-2021-3156 Not Affected

Vendor Statement

Not affected.

Zephyr Project Not Affected

Notified:  2021-02-04 Updated: 2021-02-05

Statement Date:   February 05, 2021

CVE-2021-3156 Not Affected

Vendor Statement

The Zephyr project is an embedded RTOS, and as such, does not directly have the capability to run sudo. However, there are few instances of sudo in the project scripts and documentation.

  • Numerous instances throughout the documentation of suggestions to run a command with sudo. Generally, these are platform package management commands, in order to install dependencies needed to build Zephyr. It is assumed that the developer already has privileges necessary to run these commands, and this exploit would not gain additional privileges.
  • sudo is used in CI to install dependencies needed to run the tests. These operations are run in a containered environment, and sudo is configured to run without requesting a password. Again privileges are required to run the tests, and no additional privileges are gained through this exploit.

eCosCentric Not Affected

Notified:  2021-02-04 Updated: 2021-02-05

Statement Date:   February 05, 2021

CVE-2021-3156 Not Affected

Vendor Statement

We have not received a statement from the vendor.

ADATA Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

AirWatch Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Alpine Linux Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Altran Intelligent Systems Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Amazon Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Apple Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Arch Linux Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Arista Networks Inc. Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

BlackBerry Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Blackberry QNX Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Blunk Microsystems Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

CMX Systems Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Contiki OS Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Cricket Wireless Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Dell Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Dell EMC Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Dell SecureWorks Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

DesktopBSD Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

DragonFly BSD Project Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

ENEA Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Express Logic Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

FNet Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

FreeRTOS Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

HP Inc. Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

HTC Unknown

Notified:  2021-02-04 Updated: 2021-02-05

Statement Date:   February 05, 2021

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Hewlett Packard Enterprise Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Hitachi Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Huawei Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

IBM Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

IBM Corporation (zseries) Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

IBM Numa-Q Division (Formerly Sequent) Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

LITE-ON Technology Corporation Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Lenovo Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Lynx Software Technologies Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Marconi Inc. Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Micro Focus Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Motorola Inc. Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

NEC Corporation Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

NetBSD Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Nexenta Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Nokia Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

OpenBSD Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

OpenIndiana Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Phoenix Contact Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Roku Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Samsung Mobile Unknown

Notified:  2021-02-04 Updated: 2021-03-09

Statement Date:   March 09, 2021

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Schneider Electric Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Sierra Wireless Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Slackware Linux Inc. Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

SonicWall Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Sony Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

The OpenBSD project Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

TrueOS Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Turbolinux Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Unisys Corporation Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Univention Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Xiaomi Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

XigmaNAS Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

Xilinx Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

m0n0wall Unknown

Notified:  2021-02-04 Updated: 2021-02-04

CVE-2021-3156 Unknown

Vendor Statement

We have not received a statement from the vendor.

View all 87 vendors View less vendors


Other Information

CVE IDs: CVE-2021-3156
Date Public: 2021-01-26
Date First Published: 2021-02-04
Date Last Updated: 2021-04-26 14:25 UTC
Document Revision: 18

Sponsored by CISA.