PSA: If your PC runs Linux, you should update Sudo now
Despite the fact that tens of thousands of contributors actively pore over the source code of the Linux kernel and various Unix utilities looking for security flaws, it’s not unheard of for serious bugs to go unnoticed. Just a day ago, the folks over at Qualys revealed a new heap-based buffer overflow attack vector that targets the “Sudo” program to gain root access. The bug this time seems to be quite serious, and the bug has existed within the codebase for almost 10 years! Although the privilege escalation vulnerability has already been patched, it could potentially be exploited on nearly every Linux distribution and several Unix-like operating systems.
Enter Baron Samedit
Formally cataloged as CVE-2021-3156, the vulnerability has been named Baron Samedit. The moniker seems to be a play on Baron Samedi and the
sudoedit utility since the latter is used in one of the exploit paths. By exploiting this vulnerability, any unprivileged local user can have unfettered root privileges on the vulnerable host. In more technical terms, the bug involves controlling the size of the “user_args” buffer (which is meant for sudoers matching and logging) in order to perform the buffer overflow and incorrectly unescape backslashes in the arguments to obtain root privileges.
Why Baron Samedit is a critical vulnerability
The exploitable code can be traced back to July 2011, which affects all legacy Sudo versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 in their default configuration. The security vulnerability is said to be rather trivial to exploit: the local user does not need to be a privileged user or be a part of sudoers list. As a result, any device running even a fairly modern Linux distribution can potentially fall victim to this bug. In fact, the researchers from Qualys were able to obtain full root privileges on Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2).
We at XDA generally welcome the ability for regular users to gain root access, but we do not celebrate the existence of root exploits such as this, especially one which is so widespread and potentially incredibly dangerous to end-users. The vulnerability has been fixed in the sudo version 1.9.5p2 released yesterday, at the same time Qualys publicly disclosed their findings. Our readers are requested to immediately upgrade to sudo 1.9.5p2 or later as soon as possible.
How to check if you’re affected by Baron Samedit
In case you want to test if your Linux environment is vulnerable or not, log in to the system as a non-root user and then run the following command:
sudoedit -s /
A vulnerable system should respond with an error that starts with
sudoedit:. However, if the system is already patched, it will show an error that starts with