Overview
A heap-based overflow has been discovered in the set_cmd() function in sudo, which may allow a local attacker to execute commands with elevated administrator privileges.
Description
From the Sudo Main Page:
Sudo (su "do") allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.
It is possible for a local Non-administrative user to exploit this vulnerability to elevate their privileges so that they can execute commands with administrator privileges. The team at Qualys assigned this vulnerability CVE-2021-3156 and found multiple *nix operating systems were vulnerable, including Fedora, Debian, and Ubuntu. A blog update from February 3, 2021, reports that macOS, AIX, and Solaris may be vulnerable, but Qualys had not yet confirmed this. There is additional reporting that other operating systems are affected, including Apple’s Big Sur.
Impact
If an attacker has local access to an affected machine then it is possible for them to execute commands with administrator privileges.
Solution
Apply an Update
Update sudo to the latest version to address this vulnerability when operationally feasible. This issue is resolved in sudo version 1.9.5p2. Please install this version, or a version from your distribution that has the fix applied to it
Acknowledgements
This vulnerability was researched and reported by the Qualys Research Team.
This document was written by Timur Snoke.
Vendor Information
Cisco Affected
Statement Date: February 15, 2021
| CVE-2021-3156 | Affected |
Vendor Statement
Cisco is tracking this vulnerability via incident PSIRT-0750174077 .
Cisco has published a customer facing advisory here: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sudo-privesc-jan2021-qnYQfcM
it's in interim status and gets update regularly as our investigation of the product base progresses.
References
Debian GNU/Linux Affected
Statement Date: January 26, 2021
| CVE-2021-3156 | Affected |
Vendor Statement
We have not received a statement from the vendor.
References
F5 Networks Inc. Affected
Statement Date: February 05, 2021
| CVE-2021-3156 | Affected |
Vendor Statement
F5 BIG-IP and BIG-IQ products are NOT VULNERABLE to CVE-2021-3156.
F5 Traffix SDC is vulnerable.
Please see K86488846: Sudo vulnerability CVE-2021-3156 for more information.
References
Fedora Project Affected
Statement Date: January 26, 2021
| CVE-2021-3156 | Affected |
Vendor Statement
We have not received a statement from the vendor.
References
Gentoo Linux Affected
Statement Date: January 26, 2021
| CVE-2021-3156 | Affected |
Vendor Statement
We have not received a statement from the vendor.
References
Google Affected
Statement Date: April 06, 2021
| CVE-2021-3156 | Affected |
Vendor Statement
We have not received a statement from the vendor.
HardenedBSD Affected
Statement Date: February 04, 2021
| CVE-2021-3156 | Affected |
Vendor Statement
HardenedBSD's sudo port has been updated and can be used to mitigate affected systems. Systems that have updated their sudo port/package are no longer vulnerable.
References
Joyent Affected
Statement Date: February 10, 2021
| CVE-2021-3156 | Affected |
Vendor Statement
SmartOS gets its sudo binary from pkgsrc(1). pkgsrc's main feed has updated sudo binaries, and one merely need pkgin upgrade in any affected SmartOS zone to get the fixed version.
Juniper Networks Affected
Statement Date: March 04, 2021
| CVE-2021-3156 | Affected |
Vendor Statement
Juniper SIRT has confirmed that Sudo is not supplied with JUNOS/FreeBSD, hence these are not affected.
On Juniper platforms which are hosted on Wind River Linux (WRL) instances, the WRL instance contains the vulnerable version of Sudo, but only within the WRL OS. To exploit this vulnerability on Wind River Linux (WRL), authenticated users with Junos shell access, would first need to switch to a root account and then login to WRL OS. The vulnerability is contained within the WRL instance for which the Junos user would already have root privileges.
Security Incident Response Team Juniper Networks
NetApp Affected
Statement Date: February 03, 2021
| CVE-2021-3156 | Affected |
Vendor Statement
We have not received a statement from the vendor.
References
Openwall GNU/*/Linux Affected
Statement Date: January 26, 2021
| CVE-2021-3156 | Affected |
Vendor Statement
We have not received a statement from the vendor.
References
Oracle Corporation Affected
Statement Date: January 27, 2021
| CVE-2021-3156 | Affected |
Vendor Statement
We have not received a statement from the vendor.
References
Red Hat Affected
Statement Date: January 26, 2021
| CVE-2021-3156 | Affected |
Vendor Statement
We have not received a statement from the vendor.
References
- https://access.redhat.com/node/5738141
- https://access.redhat.com/errata/RHSA-2021:0218?language=en
- https://access.redhat.com/errata/RHSA-2021:0219?language=en
- https://access.redhat.com/errata/RHSA-2021:0220?language=en
- https://access.redhat.com/errata/RHSA-2021:0221?language=en
- https://access.redhat.com/errata/RHSA-2021:0222?language=en
- https://access.redhat.com/errata/RHSA-2021:0223?language=en
- https://access.redhat.com/errata/RHSA-2021:0227?language=en
SUSE Linux Affected
Statement Date: February 05, 2021
| CVE-2021-3156 | Affected |
Vendor Statement
SUSE has already provided fixes for the affected supported products. Users should patch their systems. SUSE Linux Enterprise Server 12 and SUSE Linux Enterprise Server 15 products are affected. SUSE Linux Enterprise Server 11 products are not affected.
References
Synology Affected
Statement Date: February 23, 2021
| CVE-2021-3156 | Affected |
Vendor Statement
We have not received a statement from the vendor.
References
Ubuntu Affected
Statement Date: January 26, 2021
| CVE-2021-3156 | Affected |
Vendor Statement
We have not received a statement from the vendor.
References
Wind River Affected
Statement Date: February 08, 2021
| CVE-2021-3156 | Affected |
Vendor Statement
"Heap-based buffer overflow in sudo" affects the Wind River Linux product.
Android Open Source Project Not Affected
Statement Date: February 05, 2021
| CVE-2021-3156 | Not Affected |
Vendor Statement
Android is not impacted as it does not have SUDO.
FreeBSD Project Not Affected
Statement Date: February 08, 2021
| CVE-2021-3156 | Not Affected |
Vendor Statement
While the base FreeBSD installation does not include sudo and is therefore not directly affected by this vulnerability, the FreeBSD Project recognises that sudo is a very popular package for users to install on FreeBSD.
Users can install sudo on FreeBSD using ports or binary packages. The sudo port was updated to 1.9.5p2 on 2021-01-26 at 20:15:31 (main) and on 2021-01-26 20:40:57 (2021Q1 quarterly). Binary packages are available for all tier-1 supported platforms (amd64, i386, aarch64) and several tier-2 supported platforms.
Green Hills Software Not Affected
Statement Date: February 04, 2021
| CVE-2021-3156 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Illumos Not Affected
Statement Date: February 10, 2021
| CVE-2021-3156 | Not Affected |
Vendor Statement
illumos itself does not have sudo in its source. Illumos distros, however, do.
A NOTE: base illumos has the RBAC/profile-based pfexec(1) family of commands that are an alternative for sudo.
SmartOS: Use pkgin upgrade on any zones that have sudo installed.
OmniOSce and OpenIndiana (both use the IPS package system): Use pkg update to obtain the latest sudo if it's installed.
Dilos: Is fixed in update https://bitbucket.org/dilos/du2/commits/ca5129c54c84d7b2fd75d17e465e970435018f55 - a Debian-style update will install it.
Tribblix: If sudo is installed, zap refresh && zap update sudo
LG Electronics Not Affected
Statement Date: March 26, 2021
| CVE-2021-3156 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Microsoft Not Affected
Statement Date: February 12, 2021
| CVE-2021-3156 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Tizen Not Affected
Statement Date: April 05, 2021
| CVE-2021-3156 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Treck Not Affected
Statement Date: April 25, 2021
| CVE-2021-3156 | Not Affected |
Vendor Statement
Not affected.
Zephyr Project Not Affected
Statement Date: February 05, 2021
| CVE-2021-3156 | Not Affected |
Vendor Statement
The Zephyr project is an embedded RTOS, and as such, does not directly have the capability to run sudo. However, there are few instances of sudo in the project scripts and documentation.
- Numerous instances throughout the documentation of suggestions to run a command with sudo. Generally, these are platform package management commands, in order to install dependencies needed to build Zephyr. It is assumed that the developer already has privileges necessary to run these commands, and this exploit would not gain additional privileges.
- sudo is used in CI to install dependencies needed to run the tests. These operations are run in a containered environment, and sudo is configured to run without requesting a password. Again privileges are required to run the tests, and no additional privileges are gained through this exploit.
eCosCentric Not Affected
Statement Date: February 05, 2021
| CVE-2021-3156 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
ADATA Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
AirWatch Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Alpine Linux Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Altran Intelligent Systems Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Amazon Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Apple Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Arch Linux Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Arista Networks Inc. Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
BlackBerry Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Blackberry QNX Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Blunk Microsystems Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
CMX Systems Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Contiki OS Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Cricket Wireless Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Dell Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Dell EMC Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Dell SecureWorks Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
DesktopBSD Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
DragonFly BSD Project Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
ENEA Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Express Logic Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
FNet Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
FreeRTOS Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
HP Inc. Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
HTC Unknown
Statement Date: February 05, 2021
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Hewlett Packard Enterprise Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Hitachi Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Huawei Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
IBM Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
IBM Corporation (zseries) Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
IBM Numa-Q Division (Formerly Sequent) Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
LITE-ON Technology Corporation Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Lenovo Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Lynx Software Technologies Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Marconi Inc. Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Micro Focus Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Motorola Inc. Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
NEC Corporation Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
NetBSD Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Nexenta Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Nokia Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
OpenBSD Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
OpenIndiana Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Phoenix Contact Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Roku Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Samsung Mobile Unknown
Statement Date: March 09, 2021
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Schneider Electric Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Sierra Wireless Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Slackware Linux Inc. Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
SonicWall Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Sony Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
The OpenBSD project Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
TrueOS Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Turbolinux Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Unisys Corporation Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Univention Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Xiaomi Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
XigmaNAS Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Xilinx Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
m0n0wall Unknown
| CVE-2021-3156 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Other Information
| CVE IDs: | CVE-2021-3156 |
| Date Public: | 2021-01-26 |
| Date First Published: | 2021-02-04 |
| Date Last Updated: | 2021-04-26 14:25 UTC |
| Document Revision: | 18 |