Bug in sudo command could grant root privileges to any user

A bug in Unix command sudo allowed root access to an operating system without authentication. Security researchers found a buffer overflow vulnerability in the protocol, which has since been patched.

It concerns bug CVE-2021-3156. This allows an attacker in a terminal to exploit the sudo command to gain root privileges to a Unix machine without knowing the password. The vulnerability is in legacy sudo versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 of major Linux distros such as Ubuntu, Debian and Fedora. The sudo command stands for ‘superuser do’ and is used to give temporary root rights to a user when they want to execute a command and are in the appropriate list.

The bug was discovered by Qualys security researchers. They were able to get root rights on Ubuntu 20.04, Debian 10 and Fedora 33. The researchers say other distros probably use the vulnerable sudo version as well.

The vulnerability is a heap-based buffer overflow. It can be run if the sudo command is run in shell mode with both the -s and -i option. When those commands are entered, special characters are not included by adding a . Those are then automatically extracted from the command before sudo verifies the sudo policy. There is a vulnerability in the code that adds that character, which makes it possible to run commands in shell mode with the -s or -i option, the sudo team writes.

The bug has been around for a long time. It was added in commit 8255ed69, in July 2011. No workaround is available; distributors need to patch the sudo in their operating systems themselves. The bug has been fixed in sudo 1.9.5p2. Vulnerabilities in sudo have been discovered in the past, but they were difficult to implement in practice.