CVE-2021-3156 | Heap-Based Buffer Overflow in Sudo

Published: 2021-01-26
MITRE CVE-2021-3156

“The Qualys Research Team has discovered a heap overflow vulnerability in sudo, a near-ubiquitous utility available on major Unix-like operating systems. Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.”

This is especially bad for multi-user environments where some users have login access, but should not have root access.

Through a responsible and coordinated vulnerability disclosure from Qualys’ part there should be updated version available for most affected systems. This vulnerability will probably affect most systems that make use of the sudo command.

CVSS Base Score is 7, but during our evaluation we did not agree that there are no privileges required. With the vector set to “Privileges Required” as “Low”, instead of “None” the CVSS score is 6.7. We consider this our environmental CVSS score for this vulnerability.

Currently there is no exploit in the wild. If an exploit is published this vulnerability will become critical to mitigate as fast as possible.

We are tracking this internally as BF-VLN-2208165 with an increased priority and have a goal of having all systems patched within 30 days.