Heap-Based Buffer Overflow Vulnerability Discovered in Sudo (TIR-20210131)

Overview of TIR-20210131

This report is regarding a recently discovered vulnerability within the widely used Sudo utility that has existed for almost a decade. Sudo is used within Unix-based operating systems (Linux, MacOS, and others) to run commands either as another user or most commonly as the superuser/root user. Qualys discovered a heap-based buffer overflow vulnerability (CVE-2021-3156) that allows any user to gain these privileges.

CVE-2021-3156 Tactics, Techniques, and Procedures

A heap-based overflow is a type of buffer overflow achieved by overwriting the heap portion of memory. Specifically, for this vulnerability, the vulnerable code lies within “set_cmnd().” Attackers may exploit this code through the “sudoedit -s” command to bypass protections preventing illegal escape characters and perform the overflow. Once a successful attack has been performed, the user will have gained root-level privileges, allowing for multiple other attack techniques to be executed. Many proof-of-concept exploits have already been released on GitHub and other platforms, so less technical malicious actors may also take advantage of this vulnerability.

Affected Versions:

• 1.8.2 to 1.8.31p2
• 1.90 to 1.9.5p1

Business Unit Impact

• This will lead to unauthorized access to any Unix-based systems.
• May allow for malicious actors to successfully compromise user credentials and sensitive data.

Recommendations

• We recommend determining vulnerable versions of Sudo in your environment through either vulnerability scanning or asset/software inventory.
  • Qualys has released QIDs to scan assets for this vulnerability (link in sources).
• Implement available patches as soon as possible to remove this attack vector through either package managers or the below link.
  • https://www.sudo.ws/stable.html#1.9.5p2
• Monitor EDR, SIEM, and other applicable environments for execution of the sudoedit command.

Sources

• https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
• Qualys Proof-of-Concept Video: https://vimeo.com/504872555#at=27
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156

Supporting Documentation

• MITRE Mapping(s)
  • Execution: https://attack.mitre.org/tactics/TA0002/
    • Command and Scripting Interpreter: Unix Shell: https://attack.mitre.org/techniques/T1059/004/
  • Privilege Escalation: https://attack.mitre.org/tactics/TA0004/
    • Exploitation for Privilege Escalation: https://attack.mitre.org/techniques/T1068/
• https://community.carbonblack.com/t5/Knowledge-Base/EDR-Can-EDR-detect-CVE-2021-3156-being-exploited/ta-p/99519
• https://www.tenable.com/cve/CVE-2021-3156

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.