Back to BlogUpdate Blumira Sensors: Sudo Privilege Escalation (CVE-2021-3156)
What Happened?
On January 26, a new critical vulnerability to the Sudo binary across nearly all Linux hosts was disclosed. Known as CVE-2021-3156, this vulnerability potentially allows an attacker to leverage the Sudo binary to gain root privileges by passing certain characters to the command line. Over the years, there have been a number of Sudo-related vulnerabilities, however, in this case, it can only be leveraged in non-standard configurations.
Who’s Affected?
Currently, all versions of Sudo that are identified below are known to be vulnerable to this local privilege escalation vulnerability.
- All legacy versions from 1.8.2 to 1.8.31p2
- All stable versions from 1.9.0 to 1.9.5p1
Updating Sudo
If your Blumira Sensor is set up per Blumira guidance, you are likely utilizing the unattended security updates feature of Ubuntu, and Sudo should have been updated last night.
If you did not enable unattended security updates or are not sure, below you will find commands to determine state and update if need be.
Patched Sudo Versions – Ubuntu
| Operating System | Patched Sudo Version |
|---|---|
| Ubuntu 18 LTS (Blumira Sensor) | 1.8.21p2 |
| Ubuntu 20 LTS (Alternate Blumira Sensor) | 1.8.31-1ubuntu1.2 |
See details in Ubuntu’s security notice.
Validating Sudo Version
Log in to your Blumira Sensor over SSH or however you access your Sensors generally. Run the command sudo --version to determine current state.
$ sudo --version
Sudo version 1.8.21p2
Sudoers policy plugin version 1.8.21p2
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.21p2
Updating Sudo
Updating Sudo is a simple process, feel free to run this even if you think your machine updated last night with unattended upgrades.
You can additionally validate your unattended upgrades by reviewing the contents of the logs, tail -n 25 /var/log/unattended-upgrades/unattended-upgrades.log.
For updating your Sudo binary itself, you only need to run sudo apt update && sudo apt install sudo. Below is an example of an already updated Ubuntu 18 LTS Blumira Sensor.
$ sudo apt update && sudo apt install sudo
Hit:1 http://us.archive.ubuntu.com/ubuntu bionic InRelease
Hit:2 http://us.archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:3 http://us.archive.ubuntu.com/ubuntu bionic-backports InRelease
Hit:4 http://us.archive.ubuntu.com/ubuntu bionic-security InRelease
Reading package lists... Done
Building dependency tree
Reading state information... Done
68 packages can be upgraded. Run 'apt list --upgradable' to see them.
Reading package lists... Done
Building dependency tree
Reading state information... Done
sudo is already the newest version (1.8.21p2-3ubuntu1.4).
sudo set to manually installed.
The following packages were automatically installed and are no longer required:
linux-headers-4.15.0-118 linux-headers-4.15.0-118-generic linux-image-4.15.0-118-generic linux-modules-4.15.0-118-generic linux-modules-extra-4.15.0-118-generic
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 68 not upgraded.