The officially official Devuan Forum!

You are not logged in.

#1 2021-01-28 07:12:43

dice
Member
Registered: 2020-11-22
Posts: 559  
Website

Sudo Vulnerability CVE-2021-3156

if you havent apt updated in a while today would be the day to do it if you use sudo.

https://haxf4rall.com/2021/01/27/cve-20 … ity-alert/

On January 27, 2021, RedHat issued a risk notice for heap-based buffer overflow vulnerability, the vulnerability number is CVE-2021-3156. The vulnerability level is a high risk.  CVSS v3 Base Score is 7.0.
Attackers can use heap-based buffer overflow vulnerability to gain root privileges after obtaining server permissions. Currently, Debian has fixed the vulnerability, Centos is still affected.

Vulnerability Detail
A heap-based buffer overflow was found in the way sudo parsed command line parameters. Any local user (normal user and system user, sudoer and non-sudoers) can exploit this vulnerability without authentication, and the attacker does not need to know the user’s password. Successfully exploiting this vulnerability to gain root privileges.

How to exploit this bug

Log in to the system as a non-root user and use the command sudoedit -s /

-If you see an error that starts with sudoedit:, it indicates that there is a vulnerability.
-If you see an error starting with usage:, then the patch has taken effect.
Demo
Affected version
sudo: 1.8.2 – 1.8.31p2
sudo: 1.9.0 – 1.9.5p1
Solution
In this regard, we recommend that users upgrade sudo to the latest version in time.
The post CVE-2021-3156: Sudo Heap-Based Buffer Overflow Vulnerability Alert appeared first on InfoTech News.

Post navigation

Last edited by dice (2021-01-28 07:14:54)

Offline

#2 2021-01-28 15:59:22

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 1,873  
Website

Re: Sudo Vulnerability CVE-2021-3156

RFP for doas(1) was submitted yesterday:

https://bugs.debian.org/cgi-bin/bugrepo … bug=981176

Looks like it's going to be packaged up for De??an :-)

Last edited by Head_on_a_Stick (2021-01-28 16:19:23)


antifa ftw!

Offline

#3 2021-01-28 16:09:18

dice
Member
Registered: 2020-11-22
Posts: 559  
Website

Re: Sudo Vulnerability CVE-2021-3156

There is also a minimalist alternative to privilege escalation that allows normal users
to run other programs as a different user and group..

https://github.com/parazyd/sup

Ive also started to create scripts to handle everyday tasks from the user account using su.

For instance if i want to edit a file as root i have the below script i call "sue"

#!/bin/sh
su -c "$EDITOR $@"

Offline

#4 2021-01-28 16:23:24

Marjorie
Member
From: Teignmouth, UK
Registered: 2019-06-09
Posts: 112  

Re: Sudo Vulnerability CVE-2021-3156

dice wrote:

if you havent apt updated in a while today would be the day to do it if you use sudo.

https://haxf4rall.com/2021/01/27/cve-20 … ity-alert/

My once-a-day unattended-upgrades (security fixes only) picked this up 2:52 GMT yesterday.
Must have been bad - they seems to have pushed it out to the downstream repos (I'm on stable) damn fast.

Offline

#5 2021-01-28 16:30:38

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 1,873  
Website

Re: Sudo Vulnerability CVE-2021-3156

dice wrote:

if i want to edit a file as root

Why not just use sudoedit? Oh no, wait... roll

Marjorie wrote:

they seems to have pushed it out to the downstream repos [...] damn fast

Yeah, the Security Team rocks :-)

https://security-tracker.debian.org/tra … -2021-3156


antifa ftw!

Offline

#6 2021-01-28 16:48:15

dice
Member
Registered: 2020-11-22
Posts: 559  
Website

Re: Sudo Vulnerability CVE-2021-3156

Head_on_a_Stick wrote:
dice wrote:

if i want to edit a file as root

Why not just use sudoedit? Oh no, wait... roll

Well if one does not want to use sudo, they could edit a file that way using su.

Offline

#7 2021-01-29 09:11:36

zapper
Member
Registered: 2017-05-29
Posts: 396  

Re: Sudo Vulnerability CVE-2021-3156

On Hyperbola I use doas, surprised more distros within linux haven't started using it yet.


Black Lives Matter!  I am white, but I prefer equality over hatred.
Haughtiness comes before a fall, pride before destruction.
Peace be with you!
No one can serve two masters. Either you will hate the one and love the other, or you will be devoted to the one and despise the other. You cannot serve both God and mammon!

Offline

#8 2021-01-29 13:17:19

yeti
Member
From: I'm not here: U R halucinating
Registered: 2017-02-23
Posts: 256  

Re: Sudo Vulnerability CVE-2021-3156

zapper wrote:

On Hyperbola I use doas, surprised more distros within linux haven't started using it yet.

Did you check it for having "CVE-2019-25016 (Unsafe, incomplete PATH reset)" fixed?


𝕰𝖛𝖊𝖗𝖞𝖙𝖍𝖎𝖓𝖌 𝖙𝖍𝖆𝖙 𝖈𝖔𝖒𝖊𝖘 𝖜𝖎𝖙𝖍𝖔𝖚𝖙 𝕺𝖗𝖌𝖒𝖔𝖉𝖊 𝖎𝖘 𝖉𝖎𝖘𝖙𝖎𝖓𝖌𝖚𝖎𝖘𝖍𝖆𝖇𝖑𝖊 𝖋𝖗𝖔𝖒 𝖒𝖆𝖌𝖎𝖈.  – 𝖞𝖊𝖙𝖎.
𝕯𝖔𝖓'𝖙 𝖋𝖔𝖗𝖌𝖊𝖙 𝖙𝖔 𝖚𝖓𝖘𝖚𝖇𝖘𝖈𝖗𝖎𝖇𝖊!

Offline

#9 2021-01-29 15:44:45

mckaygerhard
Member
Registered: 2017-04-21
Posts: 276  
Website

Re: Sudo Vulnerability CVE-2021-3156

sudo is a sh*t that makes a linux box acts like a windo one! puff .. is has a larrge history of several security holes, i mean several security interestelar black holes.. in fact

Offline

#10 2021-01-29 18:23:38

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 1,873  
Website

Re: Sudo Vulnerability CVE-2021-3156

yeti wrote:
zapper wrote:

On Hyperbola I use doas, surprised more distros within linux haven't started using it yet.

Did you check it for having "CVE-2019-25016 (Unsafe, incomplete PATH reset)" fixed?

Alpine Linux updated to v6.8.1 within an hour of the upstream release :-)


antifa ftw!

Offline

#11 2021-01-29 21:42:14

zapper
Member
Registered: 2017-05-29
Posts: 396  

Re: Sudo Vulnerability CVE-2021-3156

yeti wrote:
zapper wrote:

On Hyperbola I use doas, surprised more distros within linux haven't started using it yet.

Did you check it for having "CVE-2019-25016 (Unsafe, incomplete PATH reset)" fixed?

If I had to guess, I think Hyperbola has fixed that already...

But curiously, when did get discovered?

If it was a year or two ago, for sure.

by for sure, I mean its been solved most likely.

Last edited by zapper (2021-01-29 21:42:37)


Black Lives Matter!  I am white, but I prefer equality over hatred.
Haughtiness comes before a fall, pride before destruction.
Peace be with you!
No one can serve two masters. Either you will hate the one and love the other, or you will be devoted to the one and despise the other. You cannot serve both God and mammon!

Offline

#12 2021-01-29 21:49:48

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 1,873  
Website

Re: Sudo Vulnerability CVE-2021-3156

zapper wrote:

when did get discovered?

Yesterday.

EDIT: the fixed version is 6.8.1.

EDIT2: it looks like the doas package in Hyperbola is orphaned and stuck on an old version (6.6.1).

Last edited by Head_on_a_Stick (2021-01-29 22:25:11)


antifa ftw!

Offline

#13 2021-01-30 10:05:58

zapper
Member
Registered: 2017-05-29
Posts: 396  

Re: Sudo Vulnerability CVE-2021-3156

Head_on_a_Stick wrote:
zapper wrote:

when did get discovered?

Yesterday.

EDIT: the fixed version is 6.8.1.

EDIT2: it looks like the doas package in Hyperbola is orphaned and stuck on an old version (6.6.1).

Hmm, they are doing a lot of different packaging things for 0.4 release, so it may be taking a while.  I hope 0.4 is ready soon.


Black Lives Matter!  I am white, but I prefer equality over hatred.
Haughtiness comes before a fall, pride before destruction.
Peace be with you!
No one can serve two masters. Either you will hate the one and love the other, or you will be devoted to the one and despise the other. You cannot serve both God and mammon!

Offline

#14 2021-10-05 09:55:59

superurmel
Member
Registered: 2021-10-05
Posts: 3  

Re: Sudo Vulnerability CVE-2021-3156

dice wrote:

if you havent apt updated in a while today would be the day to do it if you use sudo.

Affected version
sudo: 1.8.2 – 1.8.31p2
sudo: 1.9.0 – 1.9.5p1

Solution
In this regard, we recommend that users upgrade sudo to the latest version in time.

Hi. I don't understand. I do check for updates regulary. My version von sudo is:

~ % apt list sudo -a         
Auflistung... Fertig
sudo/stable,stable-security,now 1.8.27-1+deb10u3 amd64  [installiert]
sudo/stable,stable-security 1.8.27-1+deb10u3 i386

And I'm on Devuan 3.1.

My sources-list:

## package repositories
deb http://deb.devuan.org/merged beowulf main contrib non-free
deb http://deb.devuan.org/merged beowulf-updates main contrib non-free
deb http://deb.devuan.org/merged beowulf-security main contrib non-free
deb http://deb.devuan.org/merged beowulf-backports main contrib non-free

What is it I do not understand?
Do I something wroing?

Offline

#15 2021-10-05 10:00:15

GlennW
Member
Registered: 2019-07-18
Posts: 169  

Re: Sudo Vulnerability CVE-2021-3156

ah, It's in testing and daedalus  1.9.5p2-3 amd64 [installed,automatic]

glenn@asus-r552jv:~$ su
Password: 
root@asus-r552jv:~# apt list sudo -a
Listing... Done
sudo/testing,testing,daedalus,now 1.9.5p2-3 amd64 [installed,automatic]
sudo/stable 1.8.27-1+deb10u3 amd64

root@asus-r552jv:~# 

hope this helps.

Offline

#16 2021-10-05 10:20:49

superurmel
Member
Registered: 2021-10-05
Posts: 3  

Re: Sudo Vulnerability CVE-2021-3156

Thanks for the reply GlennW

hope this helps.

It still confuses me. I thought that, because I'm on stable, I should get security patches.

As I have sudo version 1.8.27-1+deb10u3, I think I still have the vulnerable version.

Affected version
sudo: 1.8.2 – 1.8.31p2
sudo: 1.9.0 – 1.9.5p1

I'm confused hmm

SOLVED:

Ok, after a little search on debian.org if found out that the version I have (1.8.27-1+deb10u3) is fixed!

I have the fixed version (https://www.debian.org/security/2021/dsa-4839) but still the behavior described on https://haxf4rall.com/2021/01/27/cve-20 … ity-alert/.

How to exploit this bug

Log in to the system as a non-root user and use the command sudoedit -s /

    -If you see an error that starts with sudoedit:, it indicates that there is a vulnerability.
    -If you see an error starting with usage:, then the patch has taken effect.

Last edited by superurmel (2021-10-05 16:08:22)

Offline

#17 2021-10-05 21:01:47

GlennW
Member
Registered: 2019-07-18
Posts: 169  

Re: Sudo Vulnerability CVE-2021-3156

Now I'm confused. And I don't use sudo or would have it installed if I could arrange it.

Using the example above... I get

glenn@asus-r552jv:~$ sudoedit -s /
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] file ...
glenn@asus-r552jv:~$

But checking with apt install... I get

root@asus-r552jv:~# apt install sudo
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
sudo is already the newest version (1.9.5p2-3).
sudo set to manually installed.

I'd get rid of it (sudo), but it is tied to too many other programs...

root@asus-r552jv:~# apt remove sudo
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  bluedevil breeze-gtk-theme bup bup-doc gtk2-engines-pixbuf ibus-data ieee-data kde-cli-tools-data kde-config-gtk-style kde-config-sddm kde-style-oxygen-qt5 kgamma5
  khotkeys khotkeys-data kinfocenter kmenuedit ksysguard ksysguard-data kup-backup kwrited libgsettings-qt1 libibus-1.0-5 libkf5su-data libkf5sysguard-bin
  libkpmcore11 libksignalplotter9 liboxygenstyle5-5 liboxygenstyleconfig5-5 libqt5sensors5 libscim8v5 libxcb-record0 oxygen-sounds par2 partitionmanager
  plasma-desktop-data plasma-disks plasma-pa pulseaudio-module-gsettings python3-fuse python3-pylibacl python3-tornado qml-module-gsettings1.0
  qml-module-org-kde-activities qml-module-org-kde-kcm qml-module-org-kde-kio qml-module-org-kde-kitemmodels smartmontools systemsettings xsettingsd
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
  kde-cli-tools kde-plasma-desktop kscreen libkf5su-bin libkf5su5 plasma-desktop sudo
0 upgraded, 0 newly installed, 7 to remove and 3 not upgraded.
After this operation, 12.4 MB disk space will be freed.
Do you want to continue? [Y/n] n
Abort.

That "apt autoremove" list is for after sudo is removed.

Anyhow... I still won't use it. I'm sure I removed the config files from /etc/...

Offline

#18 2021-10-05 23:24:51

dvnUsr
Member
Registered: 2020-08-10
Posts: 15  

Re: Sudo Vulnerability CVE-2021-3156

@H_O_A_S/@zapper:  Thanks for the tip about doas.

I note it can be installed from the repository (http://deb.devuan.org/merged chimaera/main amd64 Packages).

Tried it, but the one thing I need is its "persist" functionality, which doesn't work for me; here's my /etc/doas.conf contents:

permit persist <my-username> as root

doas runs fine but *always* asks me for the password.

I understand persist doesn't work because the package must have been compiled without first enabling persist.  I assume it comes directly from Debian ... https://bugs.debian.org/cgi-bin/bugrepo … bug=983505

Last edited by dvnUsr (2021-10-05 23:30:40)

Offline

#19 2021-10-06 00:42:12

dvnUsr
Member
Registered: 2020-08-10
Posts: 15  

Re: Sudo Vulnerability CVE-2021-3156

Oho, just discovered that:

doas -s

is a handy workaround while persist is not working.

I've uninstalled sudo.  (There were no dependencies in my installation.)

Offline

#20 2021-10-06 05:18:05

superurmel
Member
Registered: 2021-10-05
Posts: 3  

Re: Sudo Vulnerability CVE-2021-3156

GlennW wrote:

Now I'm confused. And I don't use sudo or would have it installed if I could arrange it.

Using the example above... I get

glenn@asus-r552jv:~$ sudoedit -s /
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] file ...
glenn@asus-r552jv:~$

My bad. I used the command wrong.

~ % sudoedit -s/
sudoedit: Ungültige Option -- /
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
                prompt] [-T timeout] [-u user] file ...

I also get this

~ % sudoedit -s /
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
                prompt] [-T timeout] [-u user] file ...

I will give doas a try.

Last edited by superurmel (2021-10-06 05:21:09)

Offline

#21 2021-10-07 00:13:34

GlennW
Member
Registered: 2019-07-18
Posts: 169  

Re: Sudo Vulnerability CVE-2021-3156

My bad. I used the command wrong.

Thanks for letting me know, I thought I must be doing something wrong... But, good to know.

ahahaha. relief!

Offline

#22 2021-10-07 13:03:46

hevidevi
Member
Registered: 2021-09-17
Posts: 69  

Re: Sudo Vulnerability CVE-2021-3156

you can also program in completions for doas if you are so inclined.

a few examples i found here https://git.xosc.org/config/tree/.kshrc

#############################################################################
# COMPLETIONS
#############################################################################

# Mostly copied from
# https://github.com/qbit/dotfiles/blob/master/common/dot_ksh_completions

if [ -d ~/.password-store ]; then
	PASS_LIST=$(
		cd ~/.password-store
		find . -type f -name \*.gpg | sed 's/^\.\///' | sed 's/\.gpg$//g'
	)

	set -A complete_tpm_1 -- $PASS_LIST usage
	set -A complete_tpm_2 -- $PASS_LIST edit insert show rm
fi

set -A complete_kill_1 -- -9 -HUP -INFO -KILL -TERM

set -A complete_ifconfig_1 -- $(ifconfig | grep ^[a-z] | cut -d: -f1)

if [ -d /var/db/pkg ]; then
	PKG_LIST=$(/bin/ls -1 /var/db/pkg)
	set -A complete_pkg_info -- $PKG_LIST

	alias dpkgdel="doas pkg_delete"
	set -A complete_dpkgdel_1 -- $PKG_LIST
fi

# relayctl completion.  Second level only for 'show'
set -A complete_relayctl_1 -- monitor show load poll reload stop redirect table host log
set -A complete_relayctl_2 -- summary hosts redirects relays routers sessions

set -A complete_unwindctl_1 -- reload log status

if [ -d /etc/rc.d ]; then
	RCD_LIST=$(/bin/ls /etc/rc.d)
	set -A complete_rcctl_1 -- get getdef set check reload restart stop start disable enable order ls
	set -A complete_rcctl_2 -- $RCD_LIST

	alias drcctl="doas rcctl"
	set -A complete_drcctl_1 -- get getdef set check reload restart stop start disable enable order ls
	set -A complete_drcctl_2 -- $RCD_LIST
fi

set -A complete_tarsnap_1 -- --list-archives --print-stats --fsck --fsck-prune --nuke --verify-config --version --checkpoint-bytes --configfile --dry-run --exclude --humanize-numbers --keyfile --totals

# /tmp/.man-list is generated upon boot by /etc/rc.local with
# find /usr/share/man/ -type f | sed -e 's/.*\///' -e 's/\.[0-9]//' | sort -u
[[ -f /tmp/.man-list ]] && set -A complete_man -- $(cat /tmp/.man-list)

[[ -d $HOME/.marks ]] && set -A complete_j -- $(/bin/ls $HOME/.marks)

Last edited by hevidevi (2021-10-07 13:04:32)

Online

Board footer