In January of 2021 Qualys security researchers discovered a heap overflow vulnerability in sudo, an extremely common tool installed in most Unix and Linux operating systems.
Sudo allows users to execute programs with the privileges of another user but the vulnerability allows any unprivileged user to gain root on a vulnerable host.
This specific vulnerability was nicknamed “Baron Samedit”.
The Buffer overflow in command line escaping blog post on sudo.ws notes that the vulnerability can be tested by executing sudoedit -s /. When run as root a vulnerable version of sudo will display an error sudoedit: /: not a regular file.
We can define a class based on this:
classes:
"cve_2021_3156_vulnerable"
scope => "namespace",
expression => strcmp( "sudoedit: /: not a regular file",
execresult( "$(_sudoedit) -s /", "noshell" ));Using this class we can make other decisions in policy, for example to try and remediate automatically by upgrading the sudo package
what the policy does when it’s found.
packages:
cve_2021_3156_vulnerable::
"sudo"
policy => "present",
version => "latest";We published a module for this on build.cfengine.com. Integrate it into your policy with cfbs with cfbs add cve-2021-3156-sudo. Learn more about build.cfengine.com and cfbs from our blog post introducing the new tooling.
