Heap Buffer Overflow in Sudo (CVE-2021-3156) Enables Privilege Escalation on Linux OS

A recently-disclosed security issue in Sudo provides unauthenticated hackers with the ability to escalate their privileges to root on any Linux device. The flaw was imported back in 2011 and remained undetected for nearly a decade.

Linux Sudo Vulnerability Description

Sudo is a standard service for system administrators, which is ubiquitously applied across the majority of Unix and Linux environments. This utility ensures authority delegation so admins could provide certain users with limited root access.

The flaw (CVE-2021-3156), dubbed Baron Samedit, is a heap buffer overflow issue that exists due to improper handling of backslashes in the arguments. Specifically, the problem occurs in case Sudo executes commands in the SHELL MODE and adds -s or -i line parameters. The code misconfiguration makes utility to escape specific symbols in the command’s argument with a backslash. Then, another misconfiguration triggers improper memory handling while parsing command lines, consequently enabling the overflow of a heap-based buffer.

Security practitioners believe this flaw might be heavily exploited in the wild by botnet operators. For instance, adversaries could launch a series of brute-force attacks to gain control over low-level Sudo accounts. Further, attackers might apply the Baron Samedit flaw to obtain admin access and full control over the targeted server.

CVE-2021-3156: Detection and Mitigation

Qualys security auditing company found the flaw this year and crafted three working exploits for major Linux distributions. These exploits provide unauthenticated local users with the ability to achieve the highest rights on the targeted instances. 

Since the flaw remained undetected for a long period, most Sudo legacy versions (1.8.2 – 1.8.31p2) and all stable releases (1.9.0 – 1.9.5p1) were found impacted. Sudo developers patched the issue with 1.9.5p2 release.

To enhance cyber defense from Sudo vulnerability attacks, you might download SOC Prime’s dedicated rule pack for ArcSight:

https://tdm.socprime.com/tdm/info/URTIfNOT9GAX/9Lg2RHcBR-lx4sDxSnvb/ 

Update from 02/02/2021: SOC Prime team released fresh Sigma rules aimed at proactive detection of any exploitation attempts referred to Sudo heap buffer overflow vulnerability. You can download the detection content from our Threat Detection Marketplace platform. 

Possible Sudo Heap-Based Buffer Overflow Exploitation [sudoedit variants] (CVE-2021-3156)

Sudo Vulnerability Check Detection Patterns (CVE-202103156)

The rules have translations to the following platforms: 

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Sumo Logic, ELK Stack, RSA NetWitness

EDR: Carbon Black

MITRE ATT&CK:

Tactics: Privilege Escalation,

Techniques: Exploitation for Privilege Escalation (T1068)

Stay tuned to the latest Threat Detection Marketplace updates, and don’t miss fresh SOC content related to this nasty vulnerability. All the new rules will be added to this post.

Get a free subscription to the Threat Detection Marketplace, a world-leading Content-as-a-Service (CaaS) platform aggregating over 90,000 Detection and Response rules for proactive cyber defense. Want to craft your own detection content? Join our Threat Bounty Program and contribute to the global threat hunting initiatives.