Need to Report an Incident? Call +1 (877) 707-7997

Guidance on the SolarWinds Orion Compromise       

Heap-Based Buffer Overflow Vulnerability Discovered in Sudo (TIR-20210131)

phishing campaign
Share on linkedin
Share on facebook
Share on twitter
Share on reddit
Share on email
Share on print

Overview of TIR-20210131

This report is regarding a recently discovered vulnerability within the widely used Sudo utility that has existed for almost a decade. Sudo is used within Unix-based operating systems (Linux, MacOS, and others) to run commands either as another user, or most commonly as the superuser/root user. Qualys discovered a heap-based buffer overflow vulnerability (CVE-2021-3156) that allows any user to gain these privileges.

CVE-2021-3156 Tactics, Techniques, and Procedures

A heap-based overflow is a type of buffer overflow achieved by overwriting the heap portion of memory. Specifically, for this vulnerability, the vulnerable code lies within “set_cmnd().” Attackers may exploit this code through the “sudoedit -s” command to bypass protections preventing illegal escape characters and perform the overflow. Once a successful attack has been performed, the user will have gained root level privileges, allowing for multiple other attack techniques to be executed. Many proof-of-concept exploits have already been released on GitHub and other platforms, so less technical malicious actors may also take advantage of this vulnerability.

Affected Versions:

  • 1.8.2 to 1.8.31p2
  • 1.90 to 1.9.5p1

Business Unit Impact

  • Will lead to unauthorized access on any Unix-based systems.
  • May allow for malicious actors to successfully compromise user credentials and sensitive data.

Recommendations

  • We recommend determining vulnerable versions of Sudo in your environment through either vulnerability scanning or asset/software inventory.
    • Qualys has released QIDs to scan assets for this vulnerability (link in sources).
  • Implement available patches as soon as possible to remove this attack vector through either package managers or the below link.
  • Monitor EDR, SIEM, and other applicable environments for execution of the sudoedit command.

Sources

Supporting Documentation

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.

Share this:
Share on linkedin
Share on twitter
Share on facebook
Share on reddit
Share on email
Share on print

Sign-up for Weekly Updates