Full Report
With an estimated 90% of cloud workloads running Linux based OS, with sudo being common across distributions, many Linux cloud assets are at risk and may be affected. Versions released as far back as 2011 are affected by this vulnerability.
Analysis Summary
# Vulnerability: Sudo Privilege Escalation via Unescaped Backslash
## CVE Details
- CVE ID: CVE-2021-3156
- CVSS Score: [Score not explicitly provided, but labeled "high severity" implying a high score] (High)
- CWE: [CWE not explicitly provided]
## Affected Systems
- Products: sudo package
- Versions:
- Legacy versions: 1.8.2 to 1.8.31p2
- Stable versions: 1.9.0 to 1.9.5p1
- Configurations: Default configuration.
## Vulnerability Description
The vulnerability resides in how `sudo` handles arguments when running a command in *shell* mode (invoked via the `-s` or `-i` options).
1. **Shell Mode Argument Handling:** When in shell mode, `sudo` is supposed to escape special characters with a backslash (`\`). The `sudoers` policy plugin then removes these escapes before policy evaluation.
2. **Read Buffer Overrun:** A bug in the escape character removal code causes it to read past the end of the string if the argument ends with an unescaped backslash.
3. **Exploitation Path:** Normally, `sudo` escapes all backslashes in shell mode. However, due to a separate bug in command line parsing, it is possible to invoke `sudoedit` with the `-s` or `-i` options (setting the shell mode flag) without actually executing a command. When this happens, `sudo` *fails* to escape special characters. Crucially, the code responsible for removing escape characters still runs (as it only checks if the shell flag is set, not if a command is actually being run), triggering the buffer over-read vulnerability, leading to local privilege escalation to root for any non-root user.
## Exploitation
- Status: [Not explicitly stated if in the wild, but implied high risk due to severity and public disclosure]
- Complexity: [Implied Low/Medium] (Allows privilege escalation from any user to root without authentication)
- Attack Vector: Local (Requires existing user access)
## Impact
- Confidentiality: [High, due to root access]
- Integrity: [High, due to root access]
- Availability: [High, potential for system disruption via root compromise]
## Remediation
### Patches
- Versions starting from **1.9.5p2** are patched.
- Users should update to the latest available version provided by their distribution.
### Workarounds
- **Testing:** A system is vulnerable if running `sudoedit -s /` results in an error starting with `"sudoedit:"`. A patched system will respond with an error starting with `"usage:"`.
- **Restriction (Implied):** The vulnerability is triggered by using `sudoedit` with `-s` or `-i`. Restricting usage of these flags on `sudoedit` may serve as a temporary mitigation, although patching is strongly recommended. (Note: The article doesn't list explicit workarounds, only testing steps dependent on the flawed logic.)
## Detection
- **Indicators of Compromise:** Successful exploitation would result in a non-root user gaining root shell access via the `sudoedit` command when invoked with specific arguments.
- **Detection methods and tools:** Cloud security scanners (like Wiz, mentioned in the text) can identify vulnerable package versions across Linux environments.
## References
- Vendor Advisory: hxxps://www.sudo.ws/alerts/unescape_overflow.html
- Tool Mention: hxxps://wiz.io/request-a-demo/