CVE-2021-3156
📋 TL;DR
CVE-2021-3156 is a heap-based buffer overflow vulnerability in Sudo that allows local users to escalate privileges to root. The exploit involves using 'sudoedit -s' with a command-line argument ending in a backslash. Any system running vulnerable Sudo versions is affected.
💻 Affected Systems
- Sudo
📦 What is this software?
Communications Performance Intelligence Center by Oracle
View all CVEs affecting Communications Performance Intelligence Center →
Communications Performance Intelligence Center by Oracle
View all CVEs affecting Communications Performance Intelligence Center →
Diskstation Manager Unified Controller by Synology
View all CVEs affecting Diskstation Manager Unified Controller →
Fedora by Fedoraproject
Fedora by Fedoraproject
Micros Compact Workstation 3 Firmware by Oracle
View all CVEs affecting Micros Compact Workstation 3 Firmware →
Micros Kitchen Display System Firmware by Oracle
View all CVEs affecting Micros Kitchen Display System Firmware →
Oncommand Unified Manager Core Package by Netapp
View all CVEs affecting Oncommand Unified Manager Core Package →
Ontap Select Deploy Administration Utility by Netapp
View all CVEs affecting Ontap Select Deploy Administration Utility →
Privilege Management For Unix\/linux by Beyondtrust
View all CVEs affecting Privilege Management For Unix\/linux →
Solidfire by Netapp
Sudo by Sudo Project
Sudo by Sudo Project
Sudo by Sudo Project
Sudo by Sudo Project
⚠️ Risk & Real-World Impact
Worst Case
Full root privilege escalation leading to complete system compromise, data theft, and persistent backdoor installation.
Likely Case
Local privilege escalation allowing attackers to gain root access on compromised systems.
If Mitigated
Limited impact if proper patching and least privilege principles are followed.
🎯 Exploit Status
Multiple public exploits available. Requires local user access but no special privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9.5p2 or later
Vendor Advisory: https://www.sudo.ws/security/advisories/unescape_overflow/
Restart Required: No
Instructions:
1. Update Sudo package using your distribution's package manager. 2. For RHEL/CentOS: 'sudo yum update sudo'. 3. For Ubuntu/Debian: 'sudo apt update && sudo apt upgrade sudo'. 4. For source installations: Download and compile Sudo 1.9.5p2 or later.
🔧 Temporary Workarounds
Remove sudoedit symlink
linuxTemporarily remove the sudoedit symlink to prevent exploitation
sudo rm -f /usr/bin/sudoedit
Restrict sudoedit usage
linuxModify sudoers to restrict sudoedit command usage
# Edit /etc/sudoers to remove or restrict sudoedit permissions
🧯 If You Can't Patch
- Implement strict least privilege principles and limit sudo access
- Monitor for sudoedit usage patterns and implement behavioral detection
🔍 How to Verify
Check if Vulnerable:
Run: sudoedit -s / 2>&1 | grep 'usage:' || echo 'Vulnerable'Check Version:
sudo --version | head -1Verify Fix Applied:
Check Sudo version: sudo --version | head -1📡 Detection & Monitoring
Log Indicators:
- Unusual sudoedit commands with backslash characters
- Failed sudoedit attempts with specific patterns
Network Indicators:
- N/A - Local privilege escalation
SIEM Query:
source="sudo" AND (command="sudoedit" OR command="sudoedit -s") AND args="*\\"🔗 References
- http://packetstormsecurity.com/files/161160/Sudo-Heap-Based-Buffer-Overflow.html
- http://packetstormsecurity.com/files/161230/Sudo-Buffer-Overflow-Privilege-Escalation.html
- http://packetstormsecurity.com/files/161270/Sudo-1.9.5p1-Buffer-Overflow-Privilege-Escalation.html
- http://packetstormsecurity.com/files/161293/Sudo-1.8.31p2-1.9.5p1-Buffer-Overflow.html
- http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Overflow.html
- http://seclists.org/fulldisclosure/2021/Feb/42
- http://seclists.org/fulldisclosure/2021/Jan/79
- http://seclists.org/fulldisclosure/2024/Feb/3
- http://www.openwall.com/lists/oss-security/2021/01/26/3
- http://www.openwall.com/lists/oss-security/2021/01/27/1
- http://www.openwall.com/lists/oss-security/2021/01/27/2
- http://www.openwall.com/lists/oss-security/2021/02/15/1
- http://www.openwall.com/lists/oss-security/2021/09/14/2
- http://www.openwall.com/lists/oss-security/2024/01/30/6
- http://www.openwall.com/lists/oss-security/2024/01/30/8
- https://kc.mcafee.com/corporate/index?page=content&id=SB10348
- https://lists.debian.org/debian-lts-announce/2021/01/msg00022.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CALA5FTXIQBRRYUA2ZQNJXB6OQMAXEII/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LHXK6ICO5AYLGFK2TAX5MZKUXTUKWOJY/
- https://security.gentoo.org/glsa/202101-33
- https://security.netapp.com/advisory/ntap-20210128-0001/
- https://security.netapp.com/advisory/ntap-20210128-0002/
- https://support.apple.com/kb/HT212177
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sudo-privesc-jan2021-qnYQfcM
- https://www.beyondtrust.com/blog/entry/security-advisory-privilege-management-for-unix-linux-pmul-basic-and-privilege-management-for-mac-pmm-affected-by-sudo-vulnerability
- https://www.debian.org/security/2021/dsa-4839
- https://www.kb.cert.org/vuls/id/794544
- https://www.openwall.com/lists/oss-security/2021/01/26/3
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.sudo.ws/stable.html#1.9.5p2
- https://www.synology.com/security/advisory/Synology_SA_21_02
- https://www.vicarius.io/vsociety/posts/sudoedit-pwned-cve-2021-3156
- http://packetstormsecurity.com/files/161160/Sudo-Heap-Based-Buffer-Overflow.html
- http://packetstormsecurity.com/files/161230/Sudo-Buffer-Overflow-Privilege-Escalation.html
- http://packetstormsecurity.com/files/161270/Sudo-1.9.5p1-Buffer-Overflow-Privilege-Escalation.html
- http://packetstormsecurity.com/files/161293/Sudo-1.8.31p2-1.9.5p1-Buffer-Overflow.html
- http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Overflow.html
- http://seclists.org/fulldisclosure/2021/Feb/42
- http://seclists.org/fulldisclosure/2021/Jan/79
- http://seclists.org/fulldisclosure/2024/Feb/3
- http://www.openwall.com/lists/oss-security/2021/01/26/3
- http://www.openwall.com/lists/oss-security/2021/01/27/1
- http://www.openwall.com/lists/oss-security/2021/01/27/2
- http://www.openwall.com/lists/oss-security/2021/02/15/1
- http://www.openwall.com/lists/oss-security/2021/09/14/2
- http://www.openwall.com/lists/oss-security/2024/01/30/6
- http://www.openwall.com/lists/oss-security/2024/01/30/8
- https://kc.mcafee.com/corporate/index?page=content&id=SB10348
- https://lists.debian.org/debian-lts-announce/2021/01/msg00022.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CALA5FTXIQBRRYUA2ZQNJXB6OQMAXEII/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LHXK6ICO5AYLGFK2TAX5MZKUXTUKWOJY/
- https://security.gentoo.org/glsa/202101-33
- https://security.netapp.com/advisory/ntap-20210128-0001/
- https://security.netapp.com/advisory/ntap-20210128-0002/
- https://support.apple.com/kb/HT212177
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sudo-privesc-jan2021-qnYQfcM
- https://www.beyondtrust.com/blog/entry/security-advisory-privilege-management-for-unix-linux-pmul-basic-and-privilege-management-for-mac-pmm-affected-by-sudo-vulnerability
- https://www.debian.org/security/2021/dsa-4839
- https://www.kb.cert.org/vuls/id/794544
- https://www.openwall.com/lists/oss-security/2021/01/26/3
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.sudo.ws/stable.html#1.9.5p2
- https://www.synology.com/security/advisory/Synology_SA_21_02
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-3156
