Bug 1917684 (CVE-2021-3156) - CVE-2021-3156 sudo: Heap buffer overflow in argument parsing
Summary: CVE-2021-3156 sudo: Heap buffer overflow in argument parsing
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3156
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1917723 1917724 1917725 1917727 1917728 1917729 1917730 1917731 1917732 1917733 1917734 1917735 1917741 1918198 1918199 1918200 1918201 1919880 1920485 1920487 1920618
Blocks: 1917685
TreeView+ depends on / blocked
 
Reported: 2021-01-19 06:44 UTC by Huzaifa S. Sidhpurwala
Modified: 2022-04-17 21:05 UTC (History)
38 users (show)

Fixed In Version: sudo 1.9.5p2
Doc Type: Known Issue
Doc Text:
A flaw was found in sudo. A heap-based buffer overflow was found in the way sudo parses command line arguments. This flaw is exploitable by any local user who can execute the sudo command (by default, any local user can execute sudo) without authentication. Successful exploitation of this flaw could lead to privilege escalation. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-01-26 22:46:50 UTC


Attachments (Terms of Use)
Upstream patch (9.13 KB, patch)
2021-01-19 06:49 UTC, Huzaifa S. Sidhpurwala
no flags Details | Diff
New upstream patch (the first patch breaks -P option) (9.28 KB, patch)
2021-01-20 03:19 UTC, Huzaifa S. Sidhpurwala
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:0291 0 None None None 2021-01-28 12:25:04 UTC
Red Hat Product Errata RHBA-2021:0326 0 None None None 2021-02-01 18:15:26 UTC
Red Hat Product Errata RHBA-2021:0392 0 None None None 2021-02-02 17:14:48 UTC
Red Hat Product Errata RHBA-2021:0393 0 None None None 2021-02-02 17:15:16 UTC
Red Hat Product Errata RHBA-2021:0398 0 None None None 2021-02-03 14:12:27 UTC
Red Hat Product Errata RHBA-2021:0400 0 None None None 2021-02-03 15:59:43 UTC
Red Hat Product Errata RHSA-2021:0218 0 None None None 2021-01-26 19:34:23 UTC
Red Hat Product Errata RHSA-2021:0219 0 None None None 2021-01-26 19:49:13 UTC
Red Hat Product Errata RHSA-2021:0220 0 None None None 2021-01-26 19:33:19 UTC
Red Hat Product Errata RHSA-2021:0221 0 None None None 2021-01-26 20:35:48 UTC
Red Hat Product Errata RHSA-2021:0222 0 None None None 2021-01-26 20:38:14 UTC
Red Hat Product Errata RHSA-2021:0223 0 None None None 2021-01-26 20:48:26 UTC
Red Hat Product Errata RHSA-2021:0224 0 None None None 2021-01-26 20:01:49 UTC
Red Hat Product Errata RHSA-2021:0225 0 None None None 2021-01-26 19:44:28 UTC
Red Hat Product Errata RHSA-2021:0226 0 None None None 2021-01-26 19:32:11 UTC
Red Hat Product Errata RHSA-2021:0227 0 None None None 2021-01-26 19:52:25 UTC
Red Hat Product Errata RHSA-2021:0395 0 None None None 2021-02-03 10:37:44 UTC
Red Hat Product Errata RHSA-2021:0401 0 None None None 2021-02-03 16:13:16 UTC

Description Huzaifa S. Sidhpurwala 2021-01-19 06:44:18 UTC
A heap-based buffer overflow was found in the way sudo parses command line arguments. 

As per the researcher this vulnerability:

- is exploitable by any local user (normal users and system users, sudoers and non-sudoers), without authentication (i.e., the attacker does not need to know the user's password);

- was introduced in July 2011 (commit 8255ed69), and affects all legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1, in their default configuration.

This could lead to privilege escalation.

Comment 1 Huzaifa S. Sidhpurwala 2021-01-19 06:49:11 UTC
Created attachment 1748637 [details]
Upstream patch

Comment 8 Huzaifa S. Sidhpurwala 2021-01-20 03:19:04 UTC
Created attachment 1748935 [details]
New upstream patch (the first patch breaks -P option)

Comment 28 Clifford Perry 2021-01-26 18:17:51 UTC
Created sudo tracking bugs for this issue:

Affects: fedora-all [bug 1920618]

Comment 29 errata-xmlrpc 2021-01-26 19:32:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support

Via RHSA-2021:0226 https://access.redhat.com/errata/RHSA-2021:0226

Comment 30 errata-xmlrpc 2021-01-26 19:33:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:0220 https://access.redhat.com/errata/RHSA-2021:0220

Comment 31 errata-xmlrpc 2021-01-26 19:34:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:0218 https://access.redhat.com/errata/RHSA-2021:0218

Comment 32 errata-xmlrpc 2021-01-26 19:44:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support

Via RHSA-2021:0225 https://access.redhat.com/errata/RHSA-2021:0225

Comment 33 errata-xmlrpc 2021-01-26 19:49:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:0219 https://access.redhat.com/errata/RHSA-2021:0219

Comment 34 errata-xmlrpc 2021-01-26 19:52:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support

Via RHSA-2021:0227 https://access.redhat.com/errata/RHSA-2021:0227

Comment 35 errata-xmlrpc 2021-01-26 20:01:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2021:0224 https://access.redhat.com/errata/RHSA-2021:0224

Comment 36 errata-xmlrpc 2021-01-26 20:35:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0221 https://access.redhat.com/errata/RHSA-2021:0221

Comment 37 errata-xmlrpc 2021-01-26 20:38:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2021:0222 https://access.redhat.com/errata/RHSA-2021:0222

Comment 38 errata-xmlrpc 2021-01-26 20:48:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2021:0223 https://access.redhat.com/errata/RHSA-2021:0223

Comment 39 Product Security DevOps Team 2021-01-26 22:46:50 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3156

Comment 42 Tomas Hoger 2021-01-27 08:18:45 UTC
This issue was fixed upstream in version 1.9.5p2:

https://www.sudo.ws/stable.html#1.9.5p2

Comment 45 Huzaifa S. Sidhpurwala 2021-01-31 11:54:25 UTC
Statement:

This flaw does not affect the versions of sudo shipped with Red Hat Enterprise Linux 5, because the vulnerable code was not present in these versions.

Comment 49 errata-xmlrpc 2021-02-03 10:37:39 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2021:0395 https://access.redhat.com/errata/RHSA-2021:0395

Comment 50 errata-xmlrpc 2021-02-03 16:13:14 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2021:0401 https://access.redhat.com/errata/RHSA-2021:0401

Comment 54 RaTasha Tillery-Smith 2021-02-05 13:15:12 UTC
Mitigation:

Red Hat Product Security strongly recommends customers to update to fixed sudo packages once they are available. For customers who cannot update immediately, the following interim partial mitigation using systemtap is suggested:

1. Install required systemtap packages and dependencies: 
```
systemtap yum-utils kernel-devel-"$(uname -r)"
```

Then for RHEL 7 install kernel debuginfo, using:
```
debuginfo-install -y kernel-"$(uname -r)" 
```
Then for RHEL 8 & 6 install sudo debuginfo, using:
```
debuginfo-install sudo
```
 
2. Create the following systemtap script: (call the file as sudoedit-block.stap)
```
probe process("/usr/bin/sudo").function("main")  {
        command = cmdline_args(0,0,"");
        if (isinstr(command, "edit")) {
                raise(9);
        }
}
```
3. Install the script using the following command: (using root)
```
# nohup stap -g sudoedit-block.stap &
```
(This should output the PID number of the systemtap script)

This script will cause the vulnerable sudoedit binary to stop working. The sudo command will still work as usual.
The above change does not persist across reboots and must be applied after each reboot.

Please consult How to make a systemtap kernel module load persistently across reboots? (https://access.redhat.com/solutions/5752521) to learn how to
turn this into a service managed by initd. 

4. Once the new fixed packages are installed, the systemtap script can be removed by killing the systemtap process.  For example, by using:
```
# kill -s SIGTERM 7590
```
(where 7590 is the PID of the systemtap process)


Note You need to log in before you can comment on or make changes to this bug.