Overview of TIR-20210131
This report is regarding a recently discovered vulnerability within the widely used Sudo utility that has existed for almost a decade. Sudo is used within Unix-based operating systems (Linux, MacOS, and others) to run commands either as another user or most commonly as the superuser/root user. Qualys discovered a heap-based buffer overflow vulnerability (CVE-2021-3156) that allows any user to gain these privileges.
CVE-2021-3156 Tactics, Techniques, and Procedures
A heap-based overflow is a type of buffer overflow achieved by overwriting the heap portion of memory. Specifically, for this vulnerability, the vulnerable code lies within “set_cmnd().” Attackers may exploit this code through the “sudoedit -s” command to bypass protections preventing illegal escape characters and perform the overflow. Once a successful attack has been performed, the user will have gained root-level privileges, allowing for multiple other attack techniques to be executed. Many proof-of-concept exploits have already been released on GitHub and other platforms, so less technical malicious actors may also take advantage of this vulnerability.
Affected Versions:
- 1.8.2 to 1.8.31p2
- 1.90 to 1.9.5p1
Business Unit Impact
- This will lead to unauthorized access to any Unix-based systems.
- May allow for malicious actors to successfully compromise user credentials and sensitive data.
Recommendations
- We recommend determining vulnerable versions of Sudo in your environment through either vulnerability scanning or asset/software inventory.
- Qualys has released QIDs to scan assets for this vulnerability (link in sources).
- Implement available patches as soon as possible to remove this attack vector through either package managers or the below link.
- Monitor EDR, SIEM, and other applicable environments for execution of the sudoedit command.
Sources
Supporting Documentation
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.