A major vulnerability affecting much of the Linux ecosystem was patched today in Sudo, an application that allows administrators to delegate limited root access to other users.
The vulnerability, which received the CVE ID of CVE-2021-3156, but is better known as “Baron Samedit, “ was discovered by security audit company Qualys two weeks ago and was patched earlier today with the release of Sudo v1
In a simple explanation provided by the Sudo team today, Baron Samedit’s error can be used by an attacker who has gained access to a low-privileged account to gain root access, even if the account is not listed in / etc / sudoers – a configuration file that controls which users are allowed to access his or sudo commands in the first place.
For the technical details behind this error, please see the Qualys report or video below.
Although two other shortcomings in Sudo’s security have been uncovered in the last two years, the mistake uncovered today is what is considered the most dangerous of the three.
The two previous errors, CVE-2019-14287 (known as error -1 UID) and CVE-2019-18634 (known as pwfeedback error), were difficult to operate because they required complex and non-standard sudo settings.
Things are different with the error revealed today, which Qualys said affects all Sudo installations where the sudoers (/ etc / sudoers) file is present – which is usually found in most Linux + Sudo installations installed by default.
To make matters worse, the bug also has a long queue. Qualys said the bug was introduced into the Sudo code in July 2011, effectively affecting all versions of Sudo released in the last ten years.
The Qualys team said it was able to independently test the vulnerability and develop multiple exploit variants for Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27) and Fedora 33 (Sudo 1.9.2).
“Other operating systems and distributions are also likely to be usable,” the security company said.
Overall, Baron Samedit vulnerabilities are one of the few security flaws in Sudo that can also be used successfully in the real world compared to the previous two bugs discovered years ago.
Qualys told ZDNet that if botnet operators rudely use low-level service accounts, the vulnerability could be exploited in the second phase of an attack to help intruders easily gain root access and full control over a hacked server.
And as ZDNet reported on Monday, these types of botnets targeting Linux systems through rude attacks are quite common these days.
Today’s update of Sudo should be implemented as soon as possible to avoid unwanted surprises from both botnet operators and malicious insiders (fraudsters).