CVE-2021-3156

Description from NVD

Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.

Information Acquisition Date:2021-04-27T11:04Z
CVSS 2.0: 7.2 HIGH CVSS 3.x: 7.8 HIGH

▼ CVSS3 Vec CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

▼ CVSS2 Vec AV:L/AC:L/Au:N/C:C/I:C/A:C

NVD References

 https://www.openwall.com/lists/oss-security/2021/01/26/3
     source:MISC
     tags:Exploit    Mailing List    Third Party Advisory    
 https://www.sudo.ws/stable.html#1.9.5p2
     source:CONFIRM
     tags:Release Notes    Vendor Advisory    
 [oss-security] 20210126 Baron Samedit: Heap-based buffer overflow in Sudo (CVE-2021-3156)
     source:MLIST
     tags:Exploit    Mailing List    Third Party Advisory    
 GLSA-202101-33
     source:GENTOO
     tags:Third Party Advisory    
 FEDORA-2021-2cb63d912a
     source:FEDORA
     tags:Mailing List    Third Party Advisory    
 DSA-4839
     source:DEBIAN
     tags:Third Party Advisory    
 FEDORA-2021-8840cbdccd
     source:FEDORA
     tags:Mailing List    Third Party Advisory    
 [oss-security] 20210127 Re: Baron Samedit: Heap-based buffer overflow in Sudo (CVE-2021-3156)
     source:MLIST
     tags:Mailing List    Third Party Advisory    
 [oss-security] 20210127 Re: Baron Samedit: Heap-based buffer overflow in Sudo (CVE-2021-3156)
     source:MLIST
     tags:Mailing List    Third Party Advisory    
 http://packetstormsecurity.com/files/161160/Sudo-Heap-Based-Buffer-Overflow.html
     source:MISC
     tags:Third Party Advisory    VDB Entry    
 https://security.netapp.com/advisory/ntap-20210128-0001/
     source:CONFIRM
     tags:Third Party Advisory    
 https://security.netapp.com/advisory/ntap-20210128-0002/
     source:CONFIRM
     tags:Third Party Advisory    
 20210129 Sudo Privilege Escalation Vulnerability Affecting Cisco Products: January 2021
     source:CISCO
     tags:Third Party Advisory    
 http://packetstormsecurity.com/files/161230/Sudo-Buffer-Overflow-Privilege-Escalation.html
     source:MISC
     tags:Exploit    Third Party Advisory    VDB Entry    
 http://packetstormsecurity.com/files/161270/Sudo-1.9.5p1-Buffer-Overflow-Privilege-Escalation.html
     source:MISC
     tags:Exploit    Third Party Advisory    VDB Entry    
 VU#794544
     source:CERT-VN
     tags:Third Party Advisory    US Government Resource    
 http://packetstormsecurity.com/files/161293/Sudo-1.8.31p2-1.9.5p1-Buffer-Overflow.html
     source:MISC
     tags:Exploit    Third Party Advisory    VDB Entry    
 https://support.apple.com/kb/HT212177
     source:CONFIRM
     tags:Third Party Advisory    
 20210211 APPLE-SA-2021-02-09-1 macOS Big Sur 11.2.1, macOS Catalina 10.15.7 Supplemental Update, and macOS Mojave 10.14.6 Security Update 2021-002
     source:FULLDISC
     tags:Mailing List    Third Party Advisory    
 https://kc.mcafee.com/corporate/index?page=content&id=SB10348
     source:CONFIRM
     tags:Third Party Advisory    
 [oss-security] 20210215 Re: sudo: Ineffective NO_ROOT_MAILER and Baron Samedit
     source:MLIST
     tags:Exploit    Mailing List    Third Party Advisory    
 [debian-lts-announce] 20210126 [SECURITY] [DLA 2534-1] sudo security update
     source:MLIST
     tags:Mailing List    Third Party Advisory    
 20210126 Baron Samedit: Heap-based buffer overflow in Sudo (CVE-2021-3156)
     source:FULLDISC
     tags:Exploit    Mailing List    Third Party Advisory    
 https://www.beyondtrust.com/blog/entry/security-advisory-privilege-management-for-unix-linux-pmul-basic-and-privilege-management-for-mac-pmm-affected-by-sudo-vulnerability
     source:MISC
     tags:Patch    Third Party Advisory    
 https://www.synology.com/security/advisory/Synology_SA_21_02
     source:CONFIRM
     tags:Third Party Advisory    

This vulnerability may involve a PoC.

Description from Forti

Sudo Heap Overflow CVE-2021-3156 Privilege Elevation

This indicates an attack attempt to exploit an Elevation Of Privilege Vulnerability in the SudoThe vulnerability is due to an error in the vulnerable application when handling a maliciously crafted input. A remote attacker may be able to exploit this to leverage their privileges on vulnerable systems.

Information Acquisition Date:2021/03/04

Affected Products

All POSIX systems that includes sudo (eg. Linux) since July 2011 (commit 8255ed69).
Sudo versions-
1.8.2 to 1.8.31p2
1.9.0 to 1.9.5p1, in their default configuration.
Confirmed OS-
Ubuntu 16.04
Ubuntu 20.04
Debian 10
Fedora 33
Arch Linux 20210115
Other OS might be impacted.

Impact

Privilege Escalation: Remote attackers can leverage their privileges on vulnerable systems.

Recommended Actions

Apply the most recent upgrade or patch from the vendor.

References

Refer to Information on External Sites

CVE InfomationExploits or more Infomation
mitreEXPLOIT DATABASE
NVD0day.today
vulmon.comgithub
CVE DetailsTwitter
JVN ENG JPN
Reconshell

Software Tag:

List of frequently cited URLs

URLNum of Times Referred to
http://vulmon.com/vulnerabilitydetails?qid=CVE3046
https://alerts.vulmon.com/?utm_source=twitter&utm_medium=so...246
https://blog.qualys.com/vulnerabilities-research/2021/01/26...193
http://cyberiqs.com/latestnews52
535/28
https://lists.astaro.com/ASGV9-IPS-rules.html#023
https://www.openwall.com/lists/oss-security/2021/01/26/321
https://us-cert.cisa.gov/ncas/current-activity/2021/02/02/s...13
https://sysdig.com/blog/cve-2021-3156-sudo-falco/9
https://security-tracker.debian.org/tracker/CVE-2021-31568
http://patrowl.io/products/hears7
http://twinybots.ch7
https://security.sios.com/vulnerability/sudo-security-vulne...7
https://www.bleepingcomputer.com/news/security/new-linux-su...7
https://access.redhat.com/security/vulnerabilities/RHSB-202...6
https://youtu.be/2_ZaNBl6qNo5
https://blog.gslin.org/archives/2021/01/27/9938/%e6%9b%b4%e...5
https://news.ycombinator.com/item?id=259194945
https://vimeo.com/5048725554
https://applech2.com/archives/20210202-macos-11-2-big-sur-n...4
https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samed...4
https://www.youtube.com/watch?v=TLa2VqcGGEQ4
https://thehackernews.com/2021/02/apple-patches-10-year-old...4
https://securityaffairs.co/wordpress/113900/hacking/sudo-vu...4
https://research.nccgroup.com/2021/07/06/exploiting-the-sud...4
https://securityboulevard.com/2021/02/the-linux-flaw-you-ca...4
https://www.archcloudlabs.com/projects/auditd-cve-2021-3156/4
https://buff.ly/2KR7DKJ3
https://haxx.in/CVE-2021-3156_nss_poc_ubuntu.tar.gz3
https://sudo.ws/dist/sudo-1.9.5p2.tar.gz3
https://github.com/lockedbyte/CVE-Exploits/blob/master/CVE-...3
http://izumino.jp/Security/sec_trend.cgi?ref=tw&ref_date=20...3
https://ubuntu.com/security/notices/USN-4705-13
https://opsmtrs.com/3j3Ptli3
https://twitter.com/jpcert/status/13543061591848099863
https://www.sudo.ws/alerts/unescape_overflow.html3
https://tryhackme.com/room/sudovulnssamedit3
https://www.zdnet.com/article/recent-root-giving-sudo-bug-a...3
https://reconshell.com/cve-2021-3156-sudo-vulnerability-tha...3
https://tools.cisco.com/security/center/publicationListing.x3
https://fluidattacks.com/blog/fuzzing-sudo/3
http://tweetedtimes.com/susession?s=tnp3
https://www.jpcert.or.jp/at/2021/at210005.html3
https://support.apple.com/en-us/HT2012223
https://www.crowdstrike.com/blog/how-falcon-spotlight-helps...3
https://www.freethreatintel.com3
https://www.helpnetsecurity.com/2021/01/27/cve-2021-3156/3
https://blog.itsecurityexpert.co.uk/2021/02/the-linux-flaw-...3
https://datafarm-cybersecurity.medium.com/exploit-writeup-f...3

Information from Twitter

User URL Info Source Date
abr_rohith https://tryhackme.com/room/sudovulnssamedit Source abr_rohith       1644685460252536832 2023/04/08

List of frequently cited URLs

URLNum of Times Referred to
vulmon.com3046
alerts.vulmon.com246
blog.qualys.com193
cyberiqs.com52
28
lists.astaro.com23
www.openwall.com21
us-cert.cisa.gov13
sysdig.com9
security-tracker.debian.org8
patrowl.io7
twinybots.ch7
security.sios.com7
www.bleepingcomputer.com7
access.redhat.com6
youtu.be5
blog.gslin.org5
news.ycombinator.com5
vimeo.com4
applech2.com4
www.qualys.com4
www.youtube.com4
thehackernews.com4
securityaffairs.co4
research.nccgroup.com4
securityboulevard.com4
www.archcloudlabs.com4
buff.ly3
haxx.in3
sudo.ws3
github.com3
izumino.jp3
ubuntu.com3
opsmtrs.com3
twitter.com3
www.sudo.ws3
tryhackme.com3
www.zdnet.com3
reconshell.com3
tools.cisco.com3
fluidattacks.com3
tweetedtimes.com3
www.jpcert.or.jp3
support.apple.com3
www.crowdstrike.com3
www.freethreatintel.com3
www.helpnetsecurity.com3
blog.itsecurityexpert.co.uk3
datafarm-cybersecurity.medium.com3

Information from Twitter

User URL Info Source
abr_rohith tryhackme.com Show Tweet
GitHub Search Results: Up to 10
NameURL
blasty/CVE-2021-3156 https://github.com/blasty/CVE-2021-3156
stong/CVE-2021-3156 https://github.com/stong/CVE-2021-3156
reverse-ex/CVE-2021-3156 https://github.com/reverse-ex/CVE-2021-3156
worawit/CVE-2021-3156 https://github.com/worawit/CVE-2021-3156
Rvn0xsy/CVE-2021-3156-plus https://github.com/Rvn0xsy/CVE-2021-3156-plus
CptGibbon/CVE-2021-3156 https://github.com/CptGibbon/CVE-2021-3156
mr-r3b00t/CVE-2021-3156 https://github.com/mr-r3b00t/CVE-2021-3156
0xdevil/CVE-2021-3156 https://github.com/0xdevil/CVE-2021-3156
mbcrump/CVE-2021-3156 https://github.com/mbcrump/CVE-2021-3156
jokerTPR2004/CVE-2021-3156 https://github.com/jokerTPR2004/CVE-2021-3156
GitHub Search Results: Up to 10
NameURL
blasty/CVE-2021-3156 github.com
stong/CVE-2021-3156 github.com
reverse-ex/CVE-2021-3156 github.com
worawit/CVE-2021-3156 github.com
Rvn0xsy/CVE-2021-3156-plus github.com
CptGibbon/CVE-2021-3156 github.com
mr-r3b00t/CVE-2021-3156 github.com
0xdevil/CVE-2021-3156 github.com
mbcrump/CVE-2021-3156 github.com
jokerTPR2004/CVE-2021-3156 github.com
2023/04/08 Score : 0
Added Har-sia Database : 2021/01/27
Last Modified : 2023/04/08
Highest Scored Date : 2021/01/27
Highest Score : 852