{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/794544#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nA heap-based overflow has been discovered in the `set_cmd()` function in sudo, which may allow a local attacker to execute commands with elevated administrator privileges.\r\n\r\n### Description\r\nFrom the [Sudo Main Page](https://sudo.ws):\r\n> Sudo (su \"do\") allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.\r\n\r\nIt is possible for a local Non-administrative user to exploit this vulnerability to elevate their privileges so that they can execute commands with administrator privileges. The team at [Qualys](https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit) assigned this vulnerability CVE-2021-3156 and found multiple \\*nix operating systems were vulnerable, including Fedora, Debian, and Ubuntu. A blog update from February 3, 2021, reports that macOS, AIX, and Solaris may be vulnerable, but Qualys had not yet confirmed this.\r\nThere is [additional reporting](https://www.zdnet.com/article/recent-root-giving-sudo-bug-also-impacts-macos/) that other operating systems are affected, including Apple’s Big Sur.\r\n\r\n### Impact\r\nIf an attacker has local access to an affected machine then it is possible for them to execute commands with administrator privileges.\r\n\r\n### Solution\r\n**Apply an Update**\r\n\r\nUpdate sudo to the latest version to address this vulnerability when operationally feasible. This issue is resolved in sudo version 1.9.5p2. Please install this version, or a version from your distribution that has the fix applied to it\r\n\r\n### Acknowledgements\r\nThis vulnerability was researched and reported by the Qualys Research Team.\r\n\r\nThis document was written by Timur Snoke.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"The Zephyr project is an embedded RTOS, and as such, does not directly have the capability to run sudo. However, there are few instances of sudo in the project scripts and documentation.\r\n\r\n* Numerous instances throughout the documentation of suggestions to run a command with sudo. Generally, these are platform package management commands, in order to install dependencies needed to build Zephyr. It is assumed that the developer already has privileges necessary to run these commands, and this exploit would not gain additional privileges.\r\n* sudo is used in CI to install dependencies needed to run the tests. These operations are run in a containered environment, and sudo is configured to run without requesting a password. Again privileges are required to run the tests, and no additional privileges are gained through this exploit.","title":"Vendor statment from Zephyr Project"},{"category":"other","text":"Juniper SIRT has confirmed that Sudo is not supplied with JUNOS/FreeBSD, hence these are not affected.\r\n\r\nOn Juniper platforms which are hosted on Wind River Linux (WRL) instances, the WRL instance contains the vulnerable version of Sudo, but only within the WRL OS. To exploit this vulnerability on Wind River Linux (WRL), authenticated users with Junos shell access, would first need to switch to a root account and then login to WRL OS. The vulnerability is contained within the WRL instance for which the Junos user would already have root privileges. \r\n\r\nSecurity Incident Response Team\r\nJuniper Networks","title":"Vendor statment from Juniper Networks"},{"category":"other","text":"Cisco is tracking this vulnerability via incident PSIRT-0750174077 .\r\n\r\nCisco has published a customer facing advisory here:\r\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sudo-privesc-jan2021-qnYQfcM\r\n\r\nit's in interim status and gets update regularly as our investigation of the product base progresses.","title":"Vendor statment from Cisco"},{"category":"other","text":"illumos itself does not have sudo in its source.  Illumos distros, however, do.\r\n\r\nA NOTE:  base illumos has the RBAC/profile-based pfexec(1) family of commands that are an alternative for sudo.\r\n\r\nSmartOS:  Use `pkgin upgrade` on any zones that have sudo installed.\r\n\r\nOmniOSce and OpenIndiana (both use the IPS package system): Use `pkg update` to obtain the latest sudo if it's installed.\r\n\r\nDilos:  Is fixed in update https://bitbucket.org/dilos/du2/commits/ca5129c54c84d7b2fd75d17e465e970435018f55  - a Debian-style update will install it.\r\n\r\nTribblix:  If sudo is installed, `zap refresh && zap update sudo`","title":"Vendor statment from Illumos"},{"category":"other","text":"While the base FreeBSD installation does not include sudo and is therefore not directly affected by this vulnerability, the FreeBSD Project recognises that sudo is a very popular package for users to install on FreeBSD.\r\n\r\nUsers can install sudo on FreeBSD using ports or binary packages.  The sudo port was updated to 1.9.5p2 on 2021-01-26 at 20:15:31 (main) and on  2021-01-26 20:40:57 (2021Q1 quarterly).  Binary packages are available for all tier-1 supported platforms (amd64, i386, aarch64) and several tier-2 supported platforms.","title":"Vendor statment from FreeBSD Project"},{"category":"other","text":"SUSE has already provided fixes for the affected supported products. Users should patch their systems. \r\nSUSE Linux Enterprise Server 12 and SUSE Linux Enterprise Server 15 products are affected. \r\nSUSE Linux Enterprise Server 11 products are not affected.","title":"Vendor statment from SUSE Linux"},{"category":"other","text":"HardenedBSD's sudo port has been updated and can be used to mitigate affected systems. Systems that have updated their sudo port/package are no longer vulnerable.","title":"Vendor statment from HardenedBSD"},{"category":"other","text":"F5 BIG-IP and BIG-IQ products are NOT VULNERABLE to CVE-2021-3156.\r\n\r\nF5 Traffix SDC is vulnerable.\r\n\r\nPlease see [K86488846: Sudo vulnerability CVE-2021-3156](https://support.f5.com/csp/article/K86488846) for more information.","title":"Vendor statment from F5 Networks Inc."},{"category":"other","text":"SmartOS gets its sudo binary from pkgsrc(1).  pkgsrc's main feed has updated sudo binaries, and one merely need `pkgin upgrade` in any affected SmartOS zone to get the fixed version.","title":"Vendor statment from Joyent"},{"category":"other","text":"Android is not impacted as it does not have SUDO.","title":"Vendor statment from Android Open Source Project"},{"category":"other","text":"\"Heap-based buffer overflow in sudo\" affects the Wind River Linux product.","title":"Vendor statment from Wind River"},{"category":"other","text":"Not affected.","title":"Vendor statment from Treck"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/794544"},{"url":"https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit","summary":"https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit"},{"url":"https://www.zdnet.com/article/recent-root-giving-sudo-bug-also-impacts-macos/","summary":"https://www.zdnet.com/article/recent-root-giving-sudo-bug-also-impacts-macos/"},{"url":"https://twitter.com/hackerfantastic/status/1356645638151303169","summary":"https://twitter.com/hackerfantastic/status/1356645638151303169"},{"url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sudo-privesc-jan2021-qnYQfcM","summary":"Reference(s) from vendor \"Cisco\""},{"url":"https://www.suse.com/de-de/support/kb/doc/?id=000019841","summary":"Reference(s) from vendor \"SUSE Linux\""},{"url":"https://www.suse.com/security/cve/CVE-2021-3156/","summary":"Reference(s) from vendor \"SUSE Linux\""},{"url":"https://bugzilla.suse.com/show_bug.cgi?id=1181090","summary":"Reference(s) from vendor \"SUSE Linux\""},{"url":"https://github.com/HardenedBSD/hardenedbsd-ports/commits/master/security/sudo","summary":"Reference(s) from vendor \"HardenedBSD\""},{"url":"https://support.f5.com/csp/article/K86488846","summary":"Reference(s) from vendor \"F5 Networks Inc.\""},{"url":"https://www.synology.com/zh-tw/security/advisory/Synology_SA_21_02","summary":"Reference(s) from vendor \"Synology\""},{"url":"https://www.debian.org/security/2021/dsa-4839","summary":"Reference(s) from vendor \"Debian GNU/Linux\""},{"url":"https://access.redhat.com/errata/RHSA-2021:0218?language=en","summary":"Reference(s) from vendor \"Fedora Project\""},{"url":"https://access.redhat.com/errata/RHSA-2021:0219?language=en","summary":"Reference(s) from vendor \"Fedora Project\""},{"url":"https://access.redhat.com/errata/RHSA-2021:0220?language=en","summary":"Reference(s) from vendor \"Fedora Project\""},{"url":"https://access.redhat.com/errata/RHSA-2021:0221?language=en","summary":"Reference(s) from vendor \"Fedora Project\""},{"url":"https://access.redhat.com/errata/RHSA-2021:0222?language=en","summary":"Reference(s) from vendor \"Fedora Project\""},{"url":"https://security.gentoo.org/glsa/202101-33","summary":"Reference(s) from vendor \"Gentoo Linux\""},{"url":"https://security.netapp.com/advisory/ntap-20210128-0002/","summary":"Reference(s) from vendor \"NetApp\""},{"url":"https://www.openwall.com/lists/oss-security/2021/01/26/3","summary":"Reference(s) from vendor \"Openwall GNU/*/Linux\""},{"url":"https://ubuntu.com/security/CVE-2021-3156","summary":"Reference(s) from vendor \"Ubuntu\""},{"url":"https://www.tenable.com/plugins/nessus/145461","summary":"Reference(s) from vendor \"Oracle Corporation\""},{"url":"https://linux.oracle.com/errata/ELSA-2021-0221.html","summary":"Reference(s) from vendor \"Oracle Corporation\""},{"url":"https://linux.oracle.com/errata/ELSA-2021-0218.html","summary":"Reference(s) from vendor \"Oracle Corporation\""},{"url":"https://linux.oracle.com/errata/ELSA-2021-9019.html","summary":"Reference(s) from vendor \"Oracle Corporation\""},{"url":"https://access.redhat.com/node/5738141","summary":"Reference(s) from vendor \"Red Hat\""},{"url":"https://access.redhat.com/errata/RHSA-2021:0218?language=en","summary":"Reference(s) from vendor \"Red Hat\""},{"url":"https://access.redhat.com/errata/RHSA-2021:0219?language=en","summary":"Reference(s) from vendor \"Red Hat\""},{"url":"https://access.redhat.com/errata/RHSA-2021:0220?language=en","summary":"Reference(s) from vendor \"Red Hat\""},{"url":"https://access.redhat.com/errata/RHSA-2021:0221?language=en","summary":"Reference(s) from vendor \"Red Hat\""},{"url":"https://access.redhat.com/errata/RHSA-2021:0222?language=en","summary":"Reference(s) from vendor \"Red Hat\""},{"url":"https://access.redhat.com/errata/RHSA-2021:0223?language=en","summary":"Reference(s) from vendor \"Red Hat\""},{"url":"https://access.redhat.com/errata/RHSA-2021:0227?language=en","summary":"Reference(s) from vendor \"Red Hat\""}],"title":"Sudo set_cmd() is vulnerable to heap-based buffer overflow","tracking":{"current_release_date":"2021-04-26T14:25:43+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#794544","initial_release_date":"2021-01-26 00:00:00+00:00","revision_history":[{"date":"2021-04-26T14:25:43+00:00","number":"1.20210426142543.18","summary":"Released on 2021-04-26T14:25:43+00:00"}],"status":"final","version":"1.20210426142543.18"}},"vulnerabilities":[{"title":"Sudo before 1.","notes":[{"category":"summary","text":"Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege escalation to root via \"sudoedit -s\" and a command-line argument that ends with a single backslash character."}],"cve":"CVE-2021-3156","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#794544"}],"product_status":{"known_affected":["CSAFPID-e4fdb6ae-39db-11f1-8422-122e2785dc9f","CSAFPID-e4ff04f0-39db-11f1-8422-122e2785dc9f","CSAFPID-e4ff53d8-39db-11f1-8422-122e2785dc9f","CSAFPID-e4ffdb46-39db-11f1-8422-122e2785dc9f","CSAFPID-e50131da-39db-11f1-8422-122e2785dc9f","CSAFPID-e5018702-39db-11f1-8422-122e2785dc9f","CSAFPID-e501d694-39db-11f1-8422-122e2785dc9f","CSAFPID-e50224dc-39db-11f1-8422-122e2785dc9f","CSAFPID-e5034948-39db-11f1-8422-122e2785dc9f","CSAFPID-e5038bd8-39db-11f1-8422-122e2785dc9f","CSAFPID-e503bdb0-39db-11f1-8422-122e2785dc9f","CSAFPID-e503f712-39db-11f1-8422-122e2785dc9f","CSAFPID-e5042e80-39db-11f1-8422-122e2785dc9f","CSAFPID-e5045996-39db-11f1-8422-122e2785dc9f","CSAFPID-e5048d6c-39db-11f1-8422-122e2785dc9f","CSAFPID-e504b76a-39db-11f1-8422-122e2785dc9f","CSAFPID-e504efbe-39db-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-e4fd6ce4-39db-11f1-8422-122e2785dc9f","CSAFPID-e4fdea20-39db-11f1-8422-122e2785dc9f","CSAFPID-e4fe97a4-39db-11f1-8422-122e2785dc9f","CSAFPID-e4ff9848-39db-11f1-8422-122e2785dc9f","CSAFPID-e5001728-39db-11f1-8422-122e2785dc9f","CSAFPID-e500600c-39db-11f1-8422-122e2785dc9f","CSAFPID-e5009766-39db-11f1-8422-122e2785dc9f","CSAFPID-e500e4e6-39db-11f1-8422-122e2785dc9f","CSAFPID-e50272ac-39db-11f1-8422-122e2785dc9f","CSAFPID-e502a740-39db-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Treck","product":{"name":"Treck Products","product_id":"CSAFPID-e4fd6ce4-39db-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Google","product":{"name":"Google Products","product_id":"CSAFPID-e4fdb6ae-39db-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Tizen","product":{"name":"Tizen Products","product_id":"CSAFPID-e4fdea20-39db-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Samsung Mobile","product":{"name":"Samsung Mobile Products","product_id":"CSAFPID-e4fe5c58-39db-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"LG Electronics","product":{"name":"LG Electronics Products","product_id":"CSAFPID-e4fe97a4-39db-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Juniper Networks","product":{"name":"Juniper Networks Products","product_id":"CSAFPID-e4ff04f0-39db-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Cisco","product":{"name":"Cisco Products","product_id":"CSAFPID-e4ff53d8-39db-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Microsoft","product":{"name":"Microsoft Products","product_id":"CSAFPID-e4ff9848-39db-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Wind River","product":{"name":"Wind River Products","product_id":"CSAFPID-e4ffdb46-39db-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Android Open Source Project","product":{"name":"Android Open Source Project Products","product_id":"CSAFPID-e5001728-39db-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"FreeBSD Project","product":{"name":"FreeBSD Project Products","product_id":"CSAFPID-e500600c-39db-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Zephyr Project","product":{"name":"Zephyr Project Products","product_id":"CSAFPID-e5009766-39db-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Illumos","product":{"name":"Illumos Products","product_id":"CSAFPID-e500e4e6-39db-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"HardenedBSD","product":{"name":"HardenedBSD Products","product_id":"CSAFPID-e50131da-39db-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"F5 Networks Inc.","product":{"name":"F5 Networks Inc. Products","product_id":"CSAFPID-e5018702-39db-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Joyent","product":{"name":"Joyent Products","product_id":"CSAFPID-e501d694-39db-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"SUSE Linux","product":{"name":"SUSE Linux Products","product_id":"CSAFPID-e50224dc-39db-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Green Hills Software","product":{"name":"Green Hills Software Products","product_id":"CSAFPID-e50272ac-39db-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"eCosCentric","product":{"name":"eCosCentric Products","product_id":"CSAFPID-e502a740-39db-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"HTC","product":{"name":"HTC Products","product_id":"CSAFPID-e5030cda-39db-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Synology","product":{"name":"Synology Products","product_id":"CSAFPID-e5034948-39db-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Debian GNU/Linux","product":{"name":"Debian GNU/Linux Products","product_id":"CSAFPID-e5038bd8-39db-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Fedora Project","product":{"name":"Fedora Project Products","product_id":"CSAFPID-e503bdb0-39db-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Gentoo Linux","product":{"name":"Gentoo Linux Products","product_id":"CSAFPID-e503f712-39db-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"NetApp","product":{"name":"NetApp Products","product_id":"CSAFPID-e5042e80-39db-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Openwall GNU/*/Linux","product":{"name":"Openwall GNU/*/Linux Products","product_id":"CSAFPID-e5045996-39db-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Ubuntu","product":{"name":"Ubuntu Products","product_id":"CSAFPID-e5048d6c-39db-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Oracle Corporation","product":{"name":"Oracle Corporation Products","product_id":"CSAFPID-e504b76a-39db-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Red Hat","product":{"name":"Red Hat Products","product_id":"CSAFPID-e504efbe-39db-11f1-8422-122e2785dc9f"}}]}}