sunhux
asked on
CVE-2021-3156 sudo vulnerability: details & workaround
Vulnerability affects Sudo legacy versions (1.8.2 to 1.8.31p2) and all stable versions (1.9.0 to 1.9.5p1)
Q1:
Solaris 10's sudo version (as given by 'pkginfo -l CSWsudo' ) showed
that it's ver 1.8.22, so is it vulnerable?
Q2:
Is there any patch released for Solaris 10, RHEL 7.x and Oracle Linux 7.x
to fix this? As this requires the attacker to login, presume various IPS
will not release rules/signature for it, right?
Q3:
Is there workarounds like applying ACLs on the sudo binary to alert us
(via email) each time someone run sudo that contains the 'escape'
character or rename away sudo to a Shell script that will trap this
'escape' character?
Q4:
Or is there alternative sudo for Solaris, RHEL, OraLinux that is not
vulnerable (& don't introduce other vulnerabilities) that we can use
instead?
Refs:
https://www.bleepingcomputer.com/news/security/new-linux-sudo-flaw-lets-local-users-gain-root-privileges/
https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
https://www.sudo.ws/stable.html#1.9.5p2
Q1:
Solaris 10's sudo version (as given by 'pkginfo -l CSWsudo' ) showed
that it's ver 1.8.22, so is it vulnerable?
Q2:
Is there any patch released for Solaris 10, RHEL 7.x and Oracle Linux 7.x
to fix this? As this requires the attacker to login, presume various IPS
will not release rules/signature for it, right?
Q3:
Is there workarounds like applying ACLs on the sudo binary to alert us
(via email) each time someone run sudo that contains the 'escape'
character or rename away sudo to a Shell script that will trap this
'escape' character?
Q4:
Or is there alternative sudo for Solaris, RHEL, OraLinux that is not
vulnerable (& don't introduce other vulnerabilities) that we can use
instead?
Refs:
https://www.bleepingcomputer.com/news/security/new-linux-sudo-flaw-lets-local-users-gain-root-privileges/
https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
https://www.sudo.ws/stable.html#1.9.5p2
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I think the libssp.so.0 problem I faced is due to my root partition
in Solaris filling up.
The link https://itsfoss.community/t/cve-2021-3156-sudo-vulnerability/6194
says 'Solaris ... will be tricky' without offering a patch or fixed binary
Just tested on my updated RHEL 7.9 and I'm confused: should a
"/" follow after sudoedit ?
[root@ /]# cd /usr/bin
[1]+ Exit 1 find . -name sudoedit -print (wd: /)
(wd now: /usr/bin)
[root@ /bin]# ./sudoedit
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-D directory] [-g group]
[-h host] [-p prompt] [-R directory] [-T timeout] [-u user]
file ...
[root@/bin]# ./sudoedit /
sudoedit: /: not a regular file
[root@/bin]# rpm -qa |grep -i sudo
sudo-1.9.5-3.el7.x86_64
on an unpatched Solaris, tested the following:
# /opt/csw/bin/sudoedit /
sudoedit: /: not a regular file
# /opt/csw/bin/sudoedit
usage: sudoedit [-AknS] [-C num] [-g group] [-h host] [-p prompt] [-T timeout]
[-u user] file ...
in Solaris filling up.
The link https://itsfoss.community/t/cve-2021-3156-sudo-vulnerability/6194
says 'Solaris ... will be tricky' without offering a patch or fixed binary
Just tested on my updated RHEL 7.9 and I'm confused: should a
"/" follow after sudoedit ?
[root@ /]# cd /usr/bin
[1]+ Exit 1 find . -name sudoedit -print (wd: /)
(wd now: /usr/bin)
[root@ /bin]# ./sudoedit
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-D directory] [-g group]
[-h host] [-p prompt] [-R directory] [-T timeout] [-u user]
file ...
[root@/bin]# ./sudoedit /
sudoedit: /: not a regular file
[root@/bin]# rpm -qa |grep -i sudo
sudo-1.9.5-3.el7.x86_64
on an unpatched Solaris, tested the following:
# /opt/csw/bin/sudoedit /
sudoedit: /: not a regular file
# /opt/csw/bin/sudoedit
usage: sudoedit [-AknS] [-C num] [-g group] [-h host] [-p prompt] [-T timeout]
[-u user] file ...
ASKER
Think I misunderstood the test: basically I'll need to issue
sudoedit -s /
So on my updated RHEL (the fixed sudo), I got:
[root@/ bin]# /usr/bin/sudoedit -s /
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-D directory] [-g group] [-h
host] [-p prompt] [-R directory] [-T timeout] [-u user] file ...
& on my unpatched Solaris, I got:
# /opt/csw/bin/sudoedit -s /
sudoedit: /: not a regular file
sudoedit -s /
So on my updated RHEL (the fixed sudo), I got:
[root@/ bin]# /usr/bin/sudoedit -s /
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-D directory] [-g group] [-h
host] [-p prompt] [-R directory] [-T timeout] [-u user] file ...
& on my unpatched Solaris, I got:
# /opt/csw/bin/sudoedit -s /
sudoedit: /: not a regular file
ASKER
Have restored back the Solaris 10 x86 VM from snapshot backup
& housekeep the root partition:
sudo (of the SMCsudo 1.8.1p1) works: I deinstall it & installed
the TCMsudo (1.9.5p2) & again got the error below when issuing
sudo:
# sudo
ld.so.1: sudo: fatal: libssp.so.0: open failed: No such file or directory
Killed
Then I download from CSW the following package & install it but
still getting the same above issue:
# pkgadd -d ./libssp0-5.5.0,REV=2017.10.23-SunOS5.10-i386-CSW.pkg
The following packages are available:
1 CSWlibssp0 libssp0 - The GNU Compiler Collection, libssp.so.0
(i386) 5.5.0,REV=2017.10.23
Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]: all
Processing package instance <CSWlibssp0> from </tmp/tcmsudo/libssp0-5.5.0,REV=2017.10.23-SunOS5.10-i386-CSW.pkg>
libssp0 - The GNU Compiler Collection, libssp.so.0(i386) 5.5.0,REV=2017.10.23
Please see /opt/csw/share/doc/libssp0/license for license information.
## Processing package information.
## Processing system information.
## Verifying package dependencies.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.
Installing libssp0 - The GNU Compiler Collection, libssp.so.0 as <CSWlibssp0>
## Installing part 1 of 1.
/opt/csw/lib/amd64/libssp.so.0 <symbolic link>
/opt/csw/lib/amd64/libssp.so.0.0.0
/opt/csw/lib/libssp.so.0 <symbolic link>
/opt/csw/lib/libssp.so.0.0.0
/opt/csw/share/doc/libssp0/license
[ verifying class <none> ]
Installation of <CSWlibssp0> was successful.
# sudo
ld.so.1: sudo: fatal: libssp.so.0: open failed: No such file or directory
Killed
& housekeep the root partition:
sudo (of the SMCsudo 1.8.1p1) works: I deinstall it & installed
the TCMsudo (1.9.5p2) & again got the error below when issuing
sudo:
# sudo
ld.so.1: sudo: fatal: libssp.so.0: open failed: No such file or directory
Killed
Then I download from CSW the following package & install it but
still getting the same above issue:
# pkgadd -d ./libssp0-5.5.0,REV=2017.10.23-SunOS5.10-i386-CSW.pkg
The following packages are available:
1 CSWlibssp0 libssp0 - The GNU Compiler Collection, libssp.so.0
(i386) 5.5.0,REV=2017.10.23
Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]: all
Processing package instance <CSWlibssp0> from </tmp/tcmsudo/libssp0-5.5.0,REV=2017.10.23-SunOS5.10-i386-CSW.pkg>
libssp0 - The GNU Compiler Collection, libssp.so.0(i386) 5.5.0,REV=2017.10.23
Please see /opt/csw/share/doc/libssp0/license for license information.
## Processing package information.
## Processing system information.
## Verifying package dependencies.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.
Installing libssp0 - The GNU Compiler Collection, libssp.so.0 as <CSWlibssp0>
## Installing part 1 of 1.
/opt/csw/lib/amd64/libssp.so.0 <symbolic link>
/opt/csw/lib/amd64/libssp.so.0.0.0
/opt/csw/lib/libssp.so.0 <symbolic link>
/opt/csw/lib/libssp.so.0.0.0
/opt/csw/share/doc/libssp0/license
[ verifying class <none> ]
Installation of <CSWlibssp0> was successful.
# sudo
ld.so.1: sudo: fatal: libssp.so.0: open failed: No such file or directory
Killed
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry didn't manage to reply earlier.
>So this doesn't even work for u ?
>https://www.opencsw.org/packages/CSWsudo/
I was navigating above URL but there's no installable
Solaris package I can download from it to install. It's
only the source codes. The 2 links "SourceForge, OpenGrok"
will lead me to TCMsudo, not CSWsudo. Did I miss anything?
My colleague restored back entire Solaris 10 VM from backup &
here's the output I got (didn't manage to issue those commands
after installing latest 1.9.5p2 sudo & before he restored):
Noci's suggestion: (no indication of the missing libssp.s0.0)
# ldd $( which sudo )
libiconv.so.2 => /usr/local/lib/libiconv.so.2
libsec.so.1 => /usr/lib/libsec.so.1
libc.so.1 => /usr/lib/libc.so.1
libsocket.so.1 => /usr/lib/libsocket.so.1
libgcc_s.so.1 => /usr/local/lib/libgcc_s.so.1
libnsl.so.1 => /usr/lib/libnsl.so.1
libavl.so.1 => /lib/libavl.so.1
libmp.so.2 => /lib/libmp.so.2
libmd.so.1 => /lib/libmd.so.1
libscf.so.1 => /lib/libscf.so.1
libdoor.so.1 => /lib/libdoor.so.1
libuutil.so.1 => /lib/libuutil.so.1
libgen.so.1 => /lib/libgen.so.1
libm.so.2 => /lib/libm.so.2
>So this doesn't even work for u ?
>https://www.opencsw.org/packages/CSWsudo/
I was navigating above URL but there's no installable
Solaris package I can download from it to install. It's
only the source codes. The 2 links "SourceForge, OpenGrok"
will lead me to TCMsudo, not CSWsudo. Did I miss anything?
My colleague restored back entire Solaris 10 VM from backup &
here's the output I got (didn't manage to issue those commands
after installing latest 1.9.5p2 sudo & before he restored):
Noci's suggestion: (no indication of the missing libssp.s0.0)
# ldd $( which sudo )
libiconv.so.2 => /usr/local/lib/libiconv.so.2
libsec.so.1 => /usr/lib/libsec.so.1
libc.so.1 => /usr/lib/libc.so.1
libsocket.so.1 => /usr/lib/libsocket.so.1
libgcc_s.so.1 => /usr/local/lib/libgcc_s.so.1
libnsl.so.1 => /usr/lib/libnsl.so.1
libavl.so.1 => /lib/libavl.so.1
libmp.so.2 => /lib/libmp.so.2
libmd.so.1 => /lib/libmd.so.1
libscf.so.1 => /lib/libscf.so.1
libdoor.so.1 => /lib/libdoor.so.1
libuutil.so.1 => /lib/libuutil.so.1
libgen.so.1 => /lib/libgen.so.1
libm.so.2 => /lib/libm.so.2
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
>That sudo doesn't use libssp.so.0 ==> probably your sudo is a different one.
I think the TCMsudo use libssp, not the SMCsudo & not the CSWsudo
>Is there an alias reffering to a different sudo?
None, as shown below:
# alias
autoload='typeset -fu'
command='command '
functions='typeset -f'
history='fc -l'
integer='typeset -i'
local=typeset
ls=/usr/bin/ls
nohup='nohup '
r='fc -e -'
stop='kill -STOP'
suspend='kill -STOP $$'
>Is there a different path?
After restore back, following is my PATH but didn't get to capture the PATH when TCmsudo was installed:
# echo $PATH
/usr/sbin:/usr/bin::/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/sbin:/usr/local/apache-flume-1.8.0-bin/bin
> https://www.sudo.ws/download.html#binary
Yes, above is the only updated (1.9.5p2) binary sudo for Solaris that I could find
& it's TCMsudo. Can't locate any binary of this version for CSW or SMC sudo
I think the TCMsudo use libssp, not the SMCsudo & not the CSWsudo
>Is there an alias reffering to a different sudo?
None, as shown below:
# alias
autoload='typeset -fu'
command='command '
functions='typeset -f'
history='fc -l'
integer='typeset -i'
local=typeset
ls=/usr/bin/ls
nohup='nohup '
r='fc -e -'
stop='kill -STOP'
suspend='kill -STOP $$'
>Is there a different path?
After restore back, following is my PATH but didn't get to capture the PATH when TCmsudo was installed:
# echo $PATH
/usr/sbin:/usr/bin::/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/sbin:/usr/local/apache-flume-1.8.0-bin/bin
> https://www.sudo.ws/download.html#binary
Yes, above is the only updated (1.9.5p2) binary sudo for Solaris that I could find
& it's TCMsudo. Can't locate any binary of this version for CSW or SMC sudo
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
>is there specific that you are looking at as the original package should suffice
I'm ok to use TCMsudo if it works on our Solaris 10 x86 but after installing it,
it gave the libssp0 error & it's not just a message, the sudo can't work at all
I'm ok to use TCMsudo if it works on our Solaris 10 x86 but after installing it,
it gave the libssp0 error & it's not just a message, the sudo can't work at all
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Refer to above URL, can only locate TCMsudo (which after installing, the
sudo won't run, giving the error below. Is there any CSWsudo package
somewhere that we can download? Not used to compile fr source codes.
libssp.so.0 is present in my Solaris 10 & I can't install it again.
# sudo
"ld.so.1: sudo: fatal: libssp.so.0: open failed: No such file or directory
Killed"