Voyager18 (research)

Fix the Sudo Command Vulnerability, Again

Use Remedy Cloud remediation intelligence to fix the latest two sudo command vulnerabilities.

Gal Gonen | March 30, 2021

At Vulcan Cyber we are in the business of getting fix done through vulnerability remediation orchestration. We go beyond simple vulnerability scanning and prioritization to help IT security professionals quickly find and apply the best remedies for the vulnerabilities that need to be addressed in their environments. This blog post uses Remedy Cloud remediation intelligence to help IT security pros get fix done for the latest two sudo command vulnerabilities.

Vulcan Remedy Cloud is the world’s largest database of remediation intelligence and includes remedies and fixes for thousands of cyber security vulnerabilities. These fixes include patches and scripts that can be plugged into your configuration management tool of choice, mitigating actions for endpoint security, and recommended workarounds and compensating controls. Remedy Cloud is open, free, and easily searchable. 

Another sudo command vulnerability

We periodically review anonymous Remedy Cloud site analytics for the most searched, clicked, and downloaded remedies so we can share vulnerability trend insights. In this post we highlight two related sudo command vulnerabilities and their remedies that have been trending in Remedy Cloud recently: CVE-2019-14287 and CVE-2021-3156. Both are sudo vulnerabilities that allow attackers to invoke the sudo command in a way that gives them escalated privileges.

sudo commandWhen it comes to getting fix done, everybody knows time is of the essence. Read on for Remedy Cloud remedies that will save you time fixing these sudo command root exploit vulnerabilities.

What is the CVE-2019-14287 vulnerability?

First published by MITRE in the National Vulnerability Database (NVD) on October 17, 2019, this vulnerability in pre-1.8.28 versions of sudo allows an attacker with access to a Runas ALL sudoer account to invoke the sudo command with the user ID -1 or 4294967295, and lets them execute privileged system management commands as root. In this way the attacker bypasses certain policy blacklists and session PAM modules that explicitly disallow root access. For example, the vulnerability allows bypass of !root configuration and USER=logging for a sudo -u \#$((0xffffffff) command.

CVSS gives this root exploit Linux vulnerability a high severity score based on its easily accessible attack vector (network), its low attack complexity, the low privileges required, the absence of user interaction, its high impact on confidentiality, integrity, and availability. 

What is the CVE-2021-3156?

Reported by Qualys in January of this year, this vulnerability is also known as “Baron Samedit.” Like CVE-2019-14287, this is a privilege escalation vulnerability. In this case, it is due to an off-by-one error that was introduced into Sudo almost ten years ago, whereby a heap-based buffer overflow opens the door to privilege escalation to root via “sudoedit -s” and a command-line argument that ends with a single backslash character. The vulnerability can be exploited by a local user providing that the sudoers file is present.

CVSS gives this vulnerability a high severity score based on its local attack vector, low attack complexity, the absence of user interaction, and its high impact on confidentiality, integrity, and availability.

Do these sudo command vulnerabilities affect me?

According to the alert written up by Sudo, CVE-2021-3156 affects versions: 

  • 1.7.7 through 1.7.10p9
  • 1.8.2 through 1.8.31p2
  • 1.9.0 through 1.9.5p1

CVE-2019-14287 affects Sudo versions prior to 1.8.28.

Have these sudo vulnerabilities been exploited in the wild?

There are no reports of these vulnerabilities having been actively exploited in the wild. It is unlikely that CVE-2019-14287 would be actively exploited since it depends on a rather complex and unusual Sudo setup. According to Qualys, however, CVE-2021-3156 is far more dangerous because it affects all Linux+Sudo installs that include the sudoers file—which is the default setup. The vulnerability could quite easily be exploited in the second stage of a botnet brute-force attack to gain full control over a compromised server. 

How do I remediate these vulnerabilities?

In both cases Sudo was quick to issue patches that removed the vulnerability. For each vulnerability, search Remedy Cloud to find the right update for your OS and version.

Vulcan Cyber helps get fix done

You can always get additional remedies and fixes for these CVEs or others using Vulcan Remedy Cloud. Or if you are ready to start prioritizing the work of vulnerability remediation, request access to Vulcan Free or request a demo of the entire Vulcan Cyber remediation orchestration platform.

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy