A decade-old flaw found in the Sudo tool could lead to root access on Unix-based systems, including macOS Big Sur and earlier versions.
In January, security researchers disclosed a new vulnerability that can affect Unix-based operating systems. The exploit is identified as CVE-2021-3156, heap-based buffer overflow in Sudo. The exploit appears similar to a previously patched flaw called CVE-2019-18634.
The researchers at Qualys identified the exploit in Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2). They say it can affect other operating systems and distributions running the affected version of Sudo. All legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 are affected.
The researchers note that users will need access to the computer to run the exploit. The exploit has existed for at least 10 years, however this is the first known documentation of it.
At first, it was not clear whether the vulnerability exists in macOS, but security researcher Matthew Hickey disclosed on Wednesday that the bug can also be exploited on Macs.
CVE-2021-3156 also impacts @apple MacOS Big Sur (unpatched at present), you can enable exploitation of the issue by symlinking sudo to sudoedit and then triggering the heap overflow to escalate one's privileges to 1337 uid=0. Fun for @p0sixninja pic.twitter.com/tyXFB3odxE
— Hacker Fantastic (@hackerfantastic) February 2, 2021
"To trigger it, you just have to overwrite argv[0] or create a symlink, which therefore exposes the OS to the same local root vulnerability that has plagued Linux users the last week or so," Matthew Hickey, co-founder of Hacker House told ZDNet.
Hickey's findings were confirmed by other prominent macOS security researchers. Patrick Wardle confirmed the findings to ZDNet, and vulnerability analyst Will Dormann verified the research in a tweet.
Can confirm with macOS Big Sur on both x86_64 and aarch64. pic.twitter.com/nQqQ8rskv7
— Will Dormann (@wdormann) February 2, 2021
Now that the exploit has been made known to Linux distributors it will likely be patched soon. Apple could release a security update with the patch at any time, but users can act sooner if they feel it is necessary.
Qualys offers a paid program that explains how to patch the exploit, however most users will not need to concern themselves.
Who's at risk, and how to protect yourself
The vulnerability exists in both older and recent macOS versions, so it appears that a significant number of Macs can be exploited. However, since the vulnerability requires local access to the computer and the exact exploitation has not been made public, it is unlikely any regular user will be affected prior to a macOS update.
Hickey said he notified Apple of the security flaw earlier on Wednesday. Apple has declined to comment while it investigates the issue.
28 Comments
Given how long these tools have been around (40+ years in some cases), how relatively simple the code is compared to modern software, and the fact that they're used in server environments, I'm very surprised they haven't been fully security audited by now.
Is not this like saying someone can burglarized your house once they are physically inside your house? /s
I’m very surprised that Macs would be impacted. OS-X/macOS forked off from BSD a very long time ago. This exploit must really go back into the dark ages.