10-year-old Sudo bug lets Linux users gain root-level access

[Lightwreather]

Summary

A major vulnerability impacting a large chunk of the Linux ecosystem has been patched today in Sudo, an app that allows admins to delegate limited root access to other users. The vulnerability, named "Baron Samedit," impacts most Linux distributions today.

 

Quotes

Quote

A major vulnerability impacting a large chunk of the Linux ecosystem has been patched today in Sudo, an app that allows admins to delegate limited root access to other users. The vulnerability, which received a CVE identifier of CVE-2021-3156, but is more commonly known as "Baron Samedit," was discovered by security auditing firm Qualys two weeks ago and was patched earlier today with the release of Sudo v1.9.5p2.

In a simple explanation provided by the Sudo team today, the Baron Samedit bug can be exploited by an attacker who has gained access to a low-privileged account to gain root access, even if the account isn't listed in /etc/sudoers — a config file that controls which users are allowed access to su or sudo commands in the first place.

 

While there have been two other Sudo security flaws disclosed over the past two years, the bug disclosed today is the one considered the most dangerous of all three. Making matters worse, the bug also has a long tail. Qualys said the bug was introduced in the Sudo code back in July 2011, effectively impacting all Sudo versions released over the past ten years. "Other operating systems and distributions are also likely to be exploitable," the security firm said. All in all, the Baron Samedit vulnerabilities is one of the rare Sudo security flaws that can also be successfully weaponized in the real world, in comparison to the previous two bugs disclosed in years prior.

 

My thoughts

Ho boy, this seems bad. hopefully it gets patched soon (edit: It was patched, update your sudo) and we can sudo in peace. I(i used arch btw, sorry had to)

 

Sources

https://www.zdnet.com/google-amp/article/10-years-old-sudo-bug-lets-linux-users-gain-root-level-access/

[Letgomyleghoe]

1 minute ago, J-from-Nucleon said:

 

Ho boy, this seems bad. hopefully it gets patched soon and we can sudo in peace. I(i used arch btw, sorry had to)

isn't this literally an article on how it was patched?

[Lightwreather]

3 minutes ago, Letgomyleghoe said:

isn't this literally an article on how it was patched?

*facepalm*

Huh, I didn't notice. Guess I should read better

well nevermind then

 

[flashiling]

still interesting article

8 minutes ago, J-from-Nucleon said:

*facepalm*

 

 

[linuxChips2600]

thnx man I run ubuntu myself lol

[williamcll]

Well most linux users regularly do apt update and upgrade so this shouldn't be an issue right?

[Letgomyleghoe]

5 minutes ago, williamcll said:

Well most linux users regularly do apt update and upgrade so this shouldn't be an issue right?

as long as they update it won't. 

[linuxChips2600]

Oh hohohohohoho guess what happened when I went to update my OS...

 

[Master Disaster]

If its a security update my Ubuntu server box will pull it automatically (I think), I'll run pamac on Arch later manually.

[linuxChips2600]

3 minutes ago, Master Disaster said:

If its a security update my Ubuntu server box will pull it automatically (I think)

As someone who runs Ubuntu on a daily basis I can assure you that is correct; as much as people sht on Window's Auto Update, it kept driving me crazy that I kept having issues with firejail + vmware (non-commercial free edition) until I figured out that it was the auto kernel upgrades that kept throwing off my setup.  Having a 100% customizable setup can definitely be a bit of a double-edged sword as I've learned the hard way...

Yes this is also why I immediately went to check for updates manually as soon as I read this news post.

Edited January 28, 2021 by linuxChips2600
Clarify connection to previous post/comment

[Master Disaster]

Yeah, nothing for me except a Grub update...

 

[linuxChips2600]

3 minutes ago, Master Disaster said:

Yeah, nothing for me except a Grub update...

 

Here's Ubuntu's own CVE listing FYI - https://ubuntu.com/security/CVE-2021-3156
 

Also are you running the *LTS HWE* version of Ubuntu? I've learned that particular LTS version tends to get updates more often and (probably) for longer periods of time since it also needs to support the latest hardware for at least quite a while after initial release.

[Master Disaster]

6 minutes ago, linuxChips2600 said:

Here's Ubuntu's own CVE listing FYI - https://ubuntu.com/security/CVE-2021-3156

Thanks but there's no need for it, I can tell its pulled something since its prompting for a reboot and a quick apt-cache check shows Sudo was updated last night.

 

One thing though, on the CVE site you linked it says "Sudo versions prior to 1.9.5 have,,,," while the "fixed" version is 1.9.1.

 

Huh?

[linuxChips2600]

3 minutes ago, Master Disaster said:

One thing though, on the CVE site you linked it says "Sudo versions prior to 1.9.5 have,,,," while the "fixed" version is 1.9.1.

 

Huh?

I have found that Ubuntu (being a "custom Debian") does slightly different versioning for packages depending on the distro *especially* if it is an LTS version, as can be seen from this gdb launchpad.net repo: https://launchpad.net/ubuntu/+source/gdb
 

... is what I was going to basically say, until I did a double take at that website linked and it said "Upstream Needs triage"

So from what I can gather from these sites:
https://wiki.ubuntu.com/SecurityTeam/BugTriage
https://wiki.ubuntu.com/Bugs/Triage?action=show&redirect=Bugs%2FHowToTriage
 

It seems that Canonical (the main driving force behind Ubuntu) is just being Canonical again and not necessarily having everyone's best interests in mind.

Looks like OP might be onto something, although I'm not exactly happy about what I'm discovering here...

Time to switch to Arch for me?

[Master Disaster]

1 hour ago, linuxChips2600 said:

I have found that Ubuntu (being a "custom Debian") does slightly different versioning for packages depending on the distro *especially* if it is an LTS version, as can be seen from this gdb launchpad.net repo: https://launchpad.net/ubuntu/+source/gdb
 

... is what I was going to basically say, until I did a double take at that website linked and it said "Upstream Needs triage"

So from what I can gather from these sites:
https://wiki.ubuntu.com/SecurityTeam/BugTriage
https://wiki.ubuntu.com/Bugs/Triage?action=show&redirect=Bugs%2FHowToTriage
 

It seems that Canonical (the main driving force behind Ubuntu) is just being Canonical again and not necessarily having everyone's best interests in mind.

Looks like OP might be onto something, although I'm not exactly happy about what I'm discovering here...

Time to switch to Arch for me?

I don't necessarily have an issue with them using different package versioning as long as they're consistent with it. If I'm not sure about something I'll often Google it and be sure the info is relevant to my distro, the fact they (might) use different versioning on their CVE listing and their release packages makes it very difficult be be sure what I'm reading is correct.

 

Similarly I'm actually not against Canonical focusing on becoming self sustaining, they do have to survive as a business. Whats the point in having a community council to give input on Ubuntu's future if the future of Canonical is bankruptcy. Just don't start pushing changes to Ubuntu that make it vastly different other mainstream distros, the reason Ubuntu is recommended as a nice distro to learn Linux on is because it ships with a nice set of packages, doesn't require users to manually edit config files in order for it to work, can be used for everyday tasks without the need for a terminal at all, is focused on ease of use over customisation and manual control and has a vast community of support on the web but still contains all the required tools for users to push into more advanced Linux stuff should they want to.

 

If they lose that raison d'etre they have nothing special to offer the Linux community at all and other similar distros (openSUSE, & Fedora) will sweep in and replace them.

 

Edit - Also Arch has a certain stigma attached to it, I went into it expecting to be met with very little documentation and elitism when asking the community for help. My experience has been the exact opposite, the Arch Wiki is very well maintained and actually is written in a way which is easier to understand than Ubuntu's documentation and every time I've fucked something up and asked for help I've received very clear instructions on how to fix the issues.

 

The fact you start with the bare minimum (when installed it consists of Grub, systemd and shell, thats it) and build your own environment means you can have exactly what you need and nothing you don't need plus it taught me so much about the linux filesystem, using shell and not being totally reliant on a UI, how things are configured and why things are done the way they are which IMO is a great thing.

[rcmaehl]

I edited a comic.

 

[wamred]

I mean, it’s not great but if you are using Linux you will probably be fine anyway.