What happened to sudo and who is Baron Samedit?

Posted by Nick Anderson
December 16, 2021

In January of 2021 Qualys security researchers discovered a heap overflow vulnerability in sudo, an extremely common tool installed in most Unix and Linux operating systems. Sudo allows users to execute programs with the privileges of another user but the vulnerability allows any unprivileged user to gain root on a vulnerable host. This specific vulnerability was nicknamed “Baron Samedit”.

The Buffer overflow in command line escaping blog post on sudo.ws notes that the vulnerability can be tested by executing sudoedit -s /. When run as root a vulnerable version of sudo will display an error sudoedit: /: not a regular file.

We can define a class based on this:


    scope => "namespace",
    expression => strcmp( "sudoedit: /: not a regular file",
                          execresult( "$(_sudoedit) -s /", "noshell" ));

Using this class we can make other decisions in policy, for example to try and remediate automatically by upgrading the sudo package what the policy does when it’s found.



     policy => "present",
     version => "latest";

We published a module for this on build.cfengine.com. Integrate it into your policy with cfbs with cfbs add cve-2021-3156-sudo. Learn more about build.cfengine.com and cfbs from our blog post introducing the new tooling.

Get in touch with us
to discuss how we can help!
Contact us
Sign up for
our newsletter
By signing up, you agree to your email address being stored and used to receive newsletters about CFEngine. We use tracking in our newsletter emails to improve our marketing content.