A ten-year-old flaw found in the Sudo device could lead to root access on Unix-based systems, including macOS Big Sur and earlier versions.
In January, security researchers revealed a new vulnerability that could affect Unix-based operating systems. The message is identified as CVE-2021-3156, a pile-based buffer overflow in Sudo. The message appears similar to a previous flaw called CVE-2019-18634.
Qualys researchers identified the message in Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2). They say it can affect operating systems and other distributions running the affected version of Sudo. All legacy versions are affected from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1.
The researchers note that users need access to the computer to run the message. The message has been around for at least 10 years, but this is the first known document about it.
Initially, it was unclear whether the vulnerability is in macOS, but security researcher Matthew Hickey revealed Wednesday that the beast can be exploited on Macs as well.
CVE-2021-3156 also has an impact @apple MacOS Big Sur (currently untested), you can enable the case to be used by connecting sudo to sudoedit and then waking up the overflow to increase a person’s benefits to 1337 = 0. Fun for @ p0sixninja pic.twitter.com/tyXFB3odxE
– Fantastic Hacker (@hackerfantastic) February 2, 2021
“To motivate, you just have to go over argv[0] or create a symlink, which thus exposes the OS to the same local vulnerability that plagued Linux users last week or so, “said Matthew Hickey, co-founder of Hacker House ZDNet.
Hickey’s findings have been confirmed by other well-known macOS security researchers. Patrick Wardle confirmed the conclusions to ZDNet, and vulnerability analyst Will Dormann confirmed the investigation in a tweet.
Now that the message has been known to Linux distributors it looks like it will be held soon. Apple may release a security update with the patch at any time, but users can act faster if they feel the need. Qualys offers a paid program that explains how they can take advantage, but most users will not have to worry about themselves.
Who is at risk, and how you can protect yourself
The vulnerability in macOS versions is older and more recent, so it seems that a large number of Macs can be exploited. However, since the vulnerability requires local access to the computer and the actual usage has not been made public, it is unlikely that any regular user will be affected before a macOS update is performed.
Hickey said he notified Apple of the security flaw earlier Wednesday. Although the Cupertino tech giant declined to comment while it investigated the case, the company may release a bad sooner rather than later.