Sudo Vulnerability Discovered: How to Protect Your System From Baron Samedi

We tend to associate free with good. That’s not the case though when what is free is unauthorized root-level access to your Linux systems! On January 26, 2021, a vulnerability, CVE-2021-3156, was disclosed that affects just about every Linux or Unix distribution that utilizes the sudo functionality.

TLDR: You need to update your operating system as soon as possible to ensure you have the patch.

Now that you have scheduled emergency patching windows for all your impacted systems . . . you did right? Let’s get into how this vulnerability works and what the potential impact is.

On a healthy system, you have to run a su command and provide the root password or have your account authorized in the /etc/sudoers file to gain administrative level access to a Linux system. The Baron Samedit bug, however, utilizes a buffer overflow in the Sudo logic to allow a non-privileged account to bypass this security mechanism and run commands with root-level privileges.

While running a sudo command in shell mode (either with the -s or -i argument), special characters must be escaped with a backslash / character. With this vulnerability, however, you can add an extra backslash to any command. This will cause sudo to skip the policy review step where it reads /etc/sudoers to ensure the executing account has sudo privileges. Now with ill-gotten access to root-level privileges, a bad actor could do anything to a compromised system.

You can test this for yourself by logging into a Linux system with a non-privileged account and running:

$ sudoedit -s /

If the prompt returns sudoedit: your system is vulnerable and needs to be patched. However, if your system returns a usage description, your system has been patched and is no longer susceptible to this attack.

demonstration of what it would look like if your system is patched
sudoedit returns useage on patched system

This vulnerability was discovered by independent testing by Qualys Inc. an information security and compliance company. Their research found that Baron Samedit was actually introduced in version 1.8.2 released, get this, 10 years ago! This bug has been in the wild for almost a decade! It impacts legacy versions 1.8

Rarely do we see a bug with such a wide pool of targets. Sudo is utilized in Unix and Linux systems everywhere. This impacts popular distributions like Red Hat Enterprise Linux, Ubuntu, Debian, SUSE, Fedora, and so on. Even BSD and other Unix derivatives are not immune to CVE-2021-3145. The risk of any bad actor gaining root-level rights to your systems cannot be overstated. Once running as root, your system can become a slave to botnets, used for crypto-mining, or exploited to retrieve sensitive data.

DistributionFixed VersionMore Details
Red Hat Enterprise Linux 81.8.29-6.el8_3.1Advisory
Ubuntu 20.041.8.31-1ubuntu1.2Advisory
SUSE Enterprise Linux 151.8.22-4.15.1Advisory
openSUSE Leap 15.21.8.22-lp152.8.6.1Advisory
Fedora 331.9.5p2-1.fc33Advisory
Debian 101.8.27-1+deb10u3Advisory
Arch Linux1.9.5.p2-1Advisory
Gentoo1.9.5.p2Advisory
the above table lists the packages containing the patch in the most popular distributions

If you would like to read more about Baron Samedit and the deeper, technical explanation of how this vulnerability was found and how it works, Qualys published an in-depth blog on their findings: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo

You maybe wondering the same thing I was . . . Where in the world did Qualys get the name Baron Samedit? Turns out, it’s a play on sudoedit and Baron Samedi. According to Voodoo mythology, Baron Samedi is the Loa (god) of the Dead. He is a chaotic spirit who spends his time smoking, drinking, and well possessing others. This ‘spirit’ even attempts to ensnare everyone’s favorite secret agent, James Bond.

Baron Samedi from Live and Let Die
Baron Samedi from Live and Let Die

Just like 007, we need to overcome this new foe, Baron Samedit. Patch your systems…


Additional Reading:
CVE.Mitre.Org: 2021-3156
Sudo.ws: Buffer overflow in command line unescaping
ZDNet: 10-year-old Sudo Bug lets Linux users gain root-level access

This post originally appeared here and is used with permission.