7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
Hewlett Packard Enterprise (HPE) is warning a vulnerability in Sudo, an open-source program used within its Aruba AirWave management platform, could allow any unprivileged and unauthenticated local user to gain root privileges on a vulnerable host.
Rated high in severity, HPE warns the Sudo flaw could be part of a âchained attackâ where an âattacker has achieved a foothold with lower privileges via another vulnerability and then uses this to escalate privileges,â according to a recent HPE security bulletin.
The Aruba AirWave management platform is HPEâs real-time monitoring and security alert system for wired and wireless infrastructures. The Sudo bug (CVE-2021-3156) was reported in January by Qualys researchers and is believed to impact millions of endpoint devices and systems.
Sudo is a program used by other platforms that âallows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user,â according to the Sudo license.
At the time the Sudo bug was found, Mehul Revankar, Qualysâ VP of Product Management and Engineering, described the Sudo flaw in a research note as, âperhaps the most significant Sudo vulnerability in recent memory (both in terms of scope and impact) and has been hiding in plain sight for nearly 10 years.â
For HPEâs part, the company publicly disclosed the flaw last week and said it affected the AirWave management platform prior to version 8.2.13.0 â release on June 18, 2021.
âA vulnerability in the command line parameter parsing code of Sudo could allow an attacker with access to Sudo to execute commands or binaries with root privileges,â according to the security bulletin.
Qualys researchers named the Sudo vulnerability âBaron Sameditâ and said the bug was introduced into the Sudo code in July 2011. The bug was first only believed to impact Linux and BSD operating systems, including versions of Linux ranging from Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27) and Fedora 33 (Sudo 1.9.2). Since then, additional vendors have come forward with security warnings.
HPE may be the latest to report a Sudo dependency in its code, but it likely wonât be the last.
But in February, an Apple security bulletin warned that macOS (macOS Big Sur 11.2, macOS Catalina 10.15.7, macOS Mojave 10.14.6) contained the Sudo flaw inside an unspecified app. The news was followed by Appleâs release of a Sudo patch (Sudo version 1.9.5p2) to mitigate the issue.
In the context of Aruba AirWave management platform, according to researchers, the bug could be used to carry out privilege escalation attacks. âBy triggering a âheap overflowâ in the app, it becomes possible to change a userâs low-privilege access to that of a root-level user. This is possible either by planting malware on a device or carrying out a brute force attack on a low-privilege Sudo account,â researchers wrote.
The Sudo bug is a heap-based buffer overflow, which lets any local user trick Sudo into running in âshellâ mode. When Sudo is running in shell mode, researchers explain, âit escapes special characters in the commandâs arguments with a backslash.â Then, a policy plug-in removes any escape characters before deciding on the Sudo userâs permissions.â
HPE says to mitigate the issue users should upgrade to AirWave management platform to 8.2.13.0 and above. Sudo also released a patch earlier this year. A technical workaround also is available for HPE AirWave customers:
âTo minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces for AirWave be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above,â wrote HPE.
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3156
support.apple.com/en-us/HT212177
support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbnw04188en_us
threatpost.com/billions-of-devices-impacted-secure-boot-bypass/157843/
threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/
threatpost.com/sudo-bug-root-access-linux-2/163395/
www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txthttps:/www.helpnetsecurity.com/tag/qualys/
www.sudo.ws/
www.sudo.ws/
www.sudo.ws/alerts/unescape_overflow.html
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C