Apple’s macOS is also vulnerable to the root exploit affecting Linux
Over the years, we’ve seen a number of scary Linux-based exploits make the spotlight. Just a few days ago, when the researchers over at Qualys disclosed a privilege escalation vulnerability in the “Sudo” program, they predicted that the bug might impact other operating systems of the Unix family. Well, they were right: security researcher Matthew Hickey has confirmed that the CVE-2021-3156 vulnerability (AKA “Baron Samedit”) can easily be adapted to gain root access on Apple macOS.
CVE-2021-3156 also impacts @apple MacOS Big Sur (unpatched at present), you can enable exploitation of the issue by symlinking sudo to sudoedit and then triggering the heap overflow to escalate one’s privileges to 1337 uid=0. Fun for @p0sixninja pic.twitter.com/tyXFB3odxE
— Hacker Fantastic 📡 (@hackerfantastic) February 2, 2021
The underlying foundation of macOS is based on Darwin, which itself uses various elements of the FreeBSD operating system. Therein lies the problem, as common Unix utilities such as
sudoedit are consequently present out-of-the-box in a vanilla macOS installation. What’s problematic about this revelation is that an official fix is not yet available from Apple. That means even the new ARM-based M1 Macs are vulnerable to the attack vector.
Can confirm with macOS Big Sur on both x86_64 and aarch64. pic.twitter.com/nQqQ8rskv7
— Will Dormann (@wdormann) February 2, 2021
Unlike regular Linux distributions, there is no straightforward way for macOS users to replace the system’s sudo binary with a patched one because of Apple’s System Integrity Protection feature. Keep in mind that even applying Apple’s latest security update (released on February 1), which consists of macOS Big Sur 11.2, Security Update 2021-001 Catalina, and Security Update 2021-001 Mojave, isn’t enough to remediate the vulnerability. As a result, the whole macOS ecosystem still remains vulnerable to Baron Samedit.
We hope Apple publicly acknowledges the serious issue and is transparent in its plans to fix it. Apart from macOS, CVE-2021-3156 also impacts the latest version of IBM AIX and Solaris, making it one of the most catastrophic local privilege escalation vulnerabilities discovered to date.