This report is regarding a recently discovered vulnerability within the widely used Sudo utility that has existed for almost a decade. Sudo is used within Unix-based operating systems (Linux, MacOS, and others) to run commands either as another user or most commonly as the superuser/root user. Qualys discovered a heap-based buffer overflow vulnerability (CVE-2021-3156) that allows any user to gain these privileges.
A heap-based overflow is a type of buffer overflow achieved by overwriting the heap portion of memory. Specifically, for this vulnerability, the vulnerable code lies within “set_cmnd().” Attackers may exploit this code through the “sudoedit -s” command to bypass protections preventing illegal escape characters and perform the overflow. Once a successful attack has been performed, the user will have gained root-level privileges, allowing for multiple other attack techniques to be executed. Many proof-of-concept exploits have already been released on GitHub and other platforms, so less technical malicious actors may also take advantage of this vulnerability.
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.