Apple Patches 10-Year-Old macOS SUDO Root Privilege Escalation Bug

Apple has rolled out a fix for a critical sudo vulnerability in macOS Big Sur, Catalina, and Mojave that could allow unauthenticated local users to gain root-level privileges on the system.

“A local attacker may be able to elevate their privileges,” Apple said in a security advisory. “This issue was addressed by updating to sudo version 1.9.5p2.”

Sudo is a common utility built into most Unix and Linux operating systems that lets a user without security privileges access and run a program with the credentials of another user.

Tracked as CVE-2021-3156 (also called “Baron Samedit”), the vulnerability first came to light last month after security auditing firm Qualys disclosed the existence of a heap-based buffer overflow, which it said had been “hiding in plain sight” for almost 10 years.

The vulnerability, which was introduced in the code back in July 2011, impacts sudo versions 1.7.7 through 1.7.10p9, 1.8.2 through 1.8.31p2, and 1.9.0 through 1.9.5p1, following which the maintainers released 1.8.32 and 1.9.5p2 to resolve the issue.

While the weakness can only be exploited by an attacker already having access to a vulnerable host, the barrier could be easily bypassed by planting malware on a device or brute-forcing a low-privileged service account.

In its report, Qualys researchers said they managed to develop multiple variants of exploit and obtain full root privileges on Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2).

But last week, British security researcher Matthew Hickey discovered that the vulnerability also extended to the latest version of macOS Big Sur 11.2, prompting Apple to address the security shortcoming.

“CVE-2021-3156 also impacts @apple MacOS Big Sur (unpatched at present), you can enable exploitation of the issue by symlinking sudo to sudoedit and then triggering the heap overflow to escalate one’s privileges to 1337 uid=0,” Hickey tweeted on February 2.

Besides the fix for the sudo vulnerability, Tuesday’s supplemental security update also includes patches for two flaws in Intel Graphics Driver (CVE-2021-1805 and CVE-2021-1806), which could cause an application to execute arbitrary code with kernel privileges.

The vulnerabilities, which stem from an out-of-bounds write and a race condition, respectively, were rectified with additional validation, the iPhone maker said.

Mac users who haven’t opted to check for updates automatically can head to Apple menu > System Preferences, and then click Software Update to download and install the latest updates.

Found this article interesting? Follow THN on Facebook, Twitter  and LinkedIn to read more exclusive content we post.