New critical sudo vulnerability - CVE-2021-3156

Support for security such as Firewalls and securing linux
Blair
Posts: 6
Joined: 2021/01/27 12:01:26

New critical sudo vulnerability - CVE-2021-3156

Post by Blair » 2021/01/27 12:08:40

Hello everyone

Yesterday it was published a heap overflow vulnerability in sudo.
It was introduced in July 2011 (commit 8255ed69) and affects all legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 in their default configuration.
Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host, so it is severe.
You can get extended info at this URL: https://blog.qualys.com/vulnerabilities ... on-samedit

CentOS Team, can we expect a quick sudo package update in the incoming days? At least for 7.x and 8.x releases?
Can you give us some information about CentOS 6.x? Will it get a sudo rpm update at least? Maybe through Vault Repo?

Many thanks
Best regards

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: New critical sudo vulnerability - CVE-2021-3156

Post by TrevorH » 2021/01/27 12:18:53

The update is already out and public for CentOS 7. I believe it's also out for CentOS Stream and CentOS Linux 8 is pending and will be along soon (for some definition of...).

CentOS 6 is based on RHEL 6 and is EOL and is unlikely to receive the fix. If Red Hat decide to publish a public fix for RHEL 6.x then I would suspect that it will get rebuilt for CentOS 6 too but I do not think this will happen.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Blair
Posts: 6
Joined: 2021/01/27 12:01:26

Re: New critical sudo vulnerability - CVE-2021-3156

Post by Blair » 2021/01/27 12:26:14

Hello TrevorH,
Thank you for your extreme quick answer :D

Red Hat has published today: https://access.redhat.com/errata/RHSA-2021:0227 for Red Hat Enterprise Linux Server - Extended Life Cycle Support 6.

Can it give us some hope about a possible fix?

About 7.x, yes, I just updated a Centos 7.9 and I confirm that the sudo fix is already released.

Best regards

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: New critical sudo vulnerability - CVE-2021-3156

Post by TrevorH » 2021/01/27 12:27:02

No, ELS updates are not public. You have to have a RH ELS subscription to be able to access them.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Blair
Posts: 6
Joined: 2021/01/27 12:01:26

Re: New critical sudo vulnerability - CVE-2021-3156

Post by Blair » 2021/01/27 12:29:45

Thanks again, TrevorH

Greetings

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: New critical sudo vulnerability - CVE-2021-3156

Post by TrevorH » 2021/01/27 12:49:37

Since I have a few el6 boxes still around, I downloaded the latest SRPM for CentOS 6 sudo from vault and also the patch from the CentOS 7 SRPM that was just released and tried to rebuild the el6 copy including the el7 patch. It fails as there are files in the el7 version that are not in the el6 one so the patch will not apply.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Blair
Posts: 6
Joined: 2021/01/27 12:01:26

Re: New critical sudo vulnerability - CVE-2021-3156

Post by Blair » 2021/01/28 07:22:37

Hello TrevorH,
You has given us better and quicker support/help than Red Hat Support sincerely. My team send you their gratitude.
We are going to highly recommend to our customers to migrate their 6.10 servers to 7.9 ASAP.
Best regards

Blair
Posts: 6
Joined: 2021/01/27 12:01:26

Re: New critical sudo vulnerability - CVE-2021-3156

Post by Blair » 2021/01/28 07:59:46

Hello again.
I just checked sudo official website. https://www.sudo.ws/sudo/
They have released source code for 1.9.5p2 and a updated rpm package for stable branch, even for Centos 6 :)
I don't know if they are going to made a legacy release.
Greetings

treimers
Posts: 2
Joined: 2021/01/29 18:55:24

Re: New critical sudo vulnerability - CVE-2021-3156

Post by treimers » 2021/01/29 19:08:09

TrevorH wrote:
2021/01/27 12:18:53
The update is already out and public for CentOS 7. I believe it's also out for CentOS Stream and CentOS Linux 8 is pending and will be along soon (for some definition of...).

CentOS 6 is based on RHEL 6 and is EOL and is unlikely to receive the fix. If Red Hat decide to publish a public fix for RHEL 6.x then I would suspect that it will get rebuilt for CentOS 6 too but I do not think this will happen.
Hi TrevorH ---

How can I find out which version of sudo is the patched version for Centos 7 ???

I have done a yum update sudo*

That upgraded me from
sudo 1.8.23-4
to
sudo 1.8.23-10

However ---
http://cve.mitre.org/cgi-bin/cvename.cg ... -2021-3156
https://www.deepwatch.com/blog/sudo-vulnerability/

"The flaw was introduced in a change made in July 2011, so it is present in sudo legacy versions (1.8.2 to 1.8.31p2) and all stable versions (1.9.0 to 1.9.5p1) "

The new version that Yum Update just installed (sudo 1.8.23-10) was _not_ beyond the range of affected versions....

It would seem that a "fixed" version of Sudo for Centos7 would have had a version something higher than 1.8.31p2

If you have knowledge of how to obtain a version of sudo greater than 1.8.31p2
can you share that?

Does not seem that yum update fixes this..... yet...
Running transaction
Updating : sudo-1.8.23-10.el7_9.1.x86_64 1/2
Cleanup : sudo-1.8.23-4.el7_7.1.x86_64 2/2
Verifying : sudo-1.8.23-10.el7_9.1.x86_64 1/2
Verifying : sudo-1.8.23-4.el7_7.1.x86_64 2/2

Updated:
sudo.x86_64 0:1.8.23-10.el7_9.1

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: New critical sudo vulnerability - CVE-2021-3156

Post by TrevorH » 2021/01/29 22:24:06

Updates in RHEL and CentOS do not follow upstream ones. You should Google "rhel backporting" and then read the link on the Red Hat web site that it shows you and that explains how it all works.

For checking: rpm -q --changelog sudo | grep -i cve-2021-3156
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply