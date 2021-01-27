



A major vulnerability affecting most of the Linux ecosystem was patched today with Sudo, an app that allows administrators to delegate restricted root access to other users.

This vulnerability received the CVE identifier for CVE-2021-3156, more commonly known as “Baron Samedit”, but was discovered two weeks ago by security audit firm Qualys and Sudo v1.9.5. The patch was applied early today with the release of p2.

A brief description provided by the Sudo team today allows an attacker to gain root access by accessing a less privileged account to exploit the Baron Samedit bug, even if the account is not listed in the / etc / sudoers configuration file. There is sex. In the first place, it controls which users are allowed access to the tosuorsudo command.

See the Qualys reporter in the video below for the technical details behind this bug.

Two other Sudo security flaws have been disclosed in the last two years, but the bug disclosed today is considered the most dangerous of all three.

The two previous bugs, CVE-2019-14287 (known as the -1 UID bug) and CVE-2019-18634 (known as the pwfeedback bug), require a complex, non-standard sudo setup. , Was difficult to abuse.

According to Qualys, the bug disclosed today affects all Sudo installations that have the sudoers file (/ etc / sudoers) commonly found in most default Linux + Sudo installations.

CVE-2021-3156 basically means the free root of the setup with sudo installed, omfg

Aruba (@mild_sunrise) January 26, 2021

To make matters worse, bugs also have long tails. According to Qualys, this bug was introduced in the Sudo code in July 2011 and has effectively affected all Sudo versions released in the last decade.

The Qualys team said they were able to independently validate the vulnerability and develop multiple exploit variants for Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2). It was.

“Other operating systems and distributions are also likely to be abused,” the security company said.

Overall, the Baron Samedit vulnerability is one of the rare Sudo security flaws that can be successfully weaponized in the real world compared to the previous two bugs disclosed a few years ago.

Qualys told ZDNet that if a botnet operator brute-forces a low-level service account, the vulnerability could be exploited in the second phase of the attack, allowing an intruder to easily gain root access and complete the hacked server. He said he would be able to control it.

And, as ZDNet reported on Monday, these types of botnets targeting Linux systems through brute force attacks are very common these days.

Today’s Sudo update should be applied as soon as possible to avoid unwanted surprises from both botnet operators and malicious insiders (illegal employees).

