RHSB-2021-002 Privilege escalation via command line argument parsing - sudo - (CVE-2021-3156)
Updated
Executive Summary
Red Hat is aware of a flaw in the way sudo handles command line arguments. A local attacker could cause memory corruption, leading to a crash or privilege escalation. The sudo package is installed by default on Red Hat Enterprise Linux (RHEL) and allows users to execute commands as other users, most commonly root. The issue is assigned CVE-2021-3156 and Red Hat Product Security has classified this flaw as having a severity rating of Important. Affected customers are urged to upgrade to newer versions of sudo.
The following Red Hat product versions and containers are either directly affected or potentially impacted:
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 8
Red Hat OpenShift Container Platform 4 [1]
Red Hat Virtualization (RHV) 4.3 and 4.4 [1]
Red Hat OpenShift Container Storage 4
ocs4/rook-ceph-rhel8-operator [2]
ocs4/cephcsi-rhel8 [2]
[1] These products contain content from RHEL and will release advisories with updated content soon after RHEL.
[2] Container security relies upon the integrity and updates of the base image, and will be updated to include base image updates. The Container Health Index, part of the Red Hat Container Catalog, can always be used to verify the security status of the following Red Hat containers.
To determine if your system is currently vulnerable to these flaws, see the Diagnose section below.
Technical Summary
A heap-based buffer overflow was found in the way sudo parses command line arguments. This flaw is exploitable by any local user who can execute the sudo command (by default, any local user can execute sudo) without authentication. Successful exploitation of this flaw could lead to privilege escalation.
Mitigation
Red Hat Product Security strongly recommends customers to update to fixed sudo packages once they are available. For customers who cannot update immediately, the following interim partial mitigation using systemtap is suggested:
1. Install required systemtap packages and dependencies, example:
# yum install systemtap yum-utils kernel-devel-"$(uname -r)"
RHEL 7 may require the installation of the kernel debuginfo, using:
# debuginfo-install -y kernel-"$(uname -r)"
For RHEL 8 & 6[1] install sudo debuginfo, using:
# debuginfo-install sudo
2. Create the following systemtap script: (call the file as sudoedit-block.stap)
probe process("/usr/bin/sudo").function("main") {
command = cmdline_args(0,0,"");
if (isinstr(command, "edit")) {
raise(9);
}
}
3. Install the script using the following command: (using root)
# nohup stap -g sudoedit-block.stap &
(This should output the PID number of the systemtap script)
This script will cause the vulnerable sudoedit command functionality within sudo to stop working. The sudo command will still work as usual (including the editing functionality provided by sudo -e).
Attempting to run the sudoedit command will fail if this system tap script is running. The above change does not persist across reboots and must be applied after each reboot.
Please consult How to make a systemtap kernel module load persistently across reboots? to learn how to turn this into a service managed by initd.
4. Once the new fixed packages are installed, the systemtap script can be removed by killing the systemtap process. For example, by using:
# kill -s SIGTERM 7590 (where 7590 is the PID of the systemtap process)
Warning: Do not attempt to disable sudoedit by removing the symlink as this is not a sufficient partial mitigation option.
[1] More detailed instructions can be found on installing debuginfo packages in the article linked.
Updates for affected products
Red Hat customers running affected versions of these Red Hat products are strongly recommended to update as soon as errata are available.
Product | Component(s) | Advisory/Update |
|---|---|---|
Red Hat Enterprise Linux 8 | sudo | |
Red Hat Enterprise Linux 8.2.0 Extended Update Support [2] | sudo | |
Red Hat Enterprise Linux 8.1.0 Extended Update Support [2] | sudo | |
Red Hat Enterprise Linux 7 | sudo | |
Red Hat Enterprise Linux 7.7 Extended Update Support [2] | sudo | |
Red Hat Enterprise Linux 7.6 Extended Update Support [2] | sudo | |
Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions, Advanced Update Support [3],[4] | sudo | |
Red Hat Enterprise Linux 7.3 Advanced Update Support [4] | sudo | |
Red Hat Enterprise Linux 7.2 Advanced Update Support [4] | sudo | |
Red Hat Enterprise Linux 6 Extended Lifecycle Support [5] | sudo | |
| Red Hat OpenShift Container Platform 3.11 [6] | sudo | RHSA-2021:0221 |
| Red Hat OpenShift Container Storage 4 | ocs4/cephcsi-rhel8 ocs4/rook-ceph-rhel8-operator | Pending [1] |
| Red Hat OpenShift Container Platform 4.6 [7] | Red Hat CoreOS | |
| Red Hat OpenShift Container Platform 4.5 [7] | Red Hat CoreOS | RHBA-2021:0231 |
| Red Hat OpenShift Container Platform 4.4 [7] | Red Hat CoreOS | RHSA-2021:0281 |
| Red Hat Virtualization 4.3 | Red Hat virtualization host | Pending [1] |
| Red Hat Virtualization 4.4 | Red Hat virtualization host | Pending [1] |
[1] Advisory/Update link will be added once updates are live.
[2] What is the Red Hat Enterprise Linux Extended Update Support (EUS) Subscription?
[3] What is Advanced mission critical Update Support (AUS)?
[4] What is the Red Hat Enterprise Linux SAP Solutions subscription?
[5] An active Extended Life-cycle Support (ELS) subscription is required for access to this patch. Please contact Red Hat sales or your specific sales representative for more information if your account does not have an active ELS subscription.
[6] Manually updating the sudo package from the Red Hat Enterprise Linux 7 advisory is required
[7] Affected Red Hat CoreOS components consume RHEL content, and will be rebuilt and released as an advisory for Red Hat OpenShift Container Platform
NOTE: This flaw does not affect the versions of sudo shipped with Red Hat Enterprise Linux 5, because the vulnerable code was not present in these versions.
Service Impact
Red Hat OpenShift Dedicated clusters are affected as the vulnerable sudo version is present in the systems. However, the impact is very low as the access to the sudo command is already restricted to users with cluster-admin privileges on dedicated clusters.
Diagnose
A vulnerability detection script has been developed to determine if your system is currently vulnerable to this flaw. To verify the authenticity of the script, you can download the detached OpenPGP signature as well. Instructions on how to use GPG signatures for verification are available on the Customer Portal.
Ansible Playbook
Additionally, an Ansible playbook is available which automates the mitigation described above. This playbook will install the packages necessary to use systemtap, and will then create and install a systemtap script to prevent the use of the sudoedit command. This mitigation will need to be re-applied after a reboot, which can be achieved by re-running the playbook.
To use the playbook, define the extra variable HOSTS with the Ansible inventory name of the hosts to which the mitigation will be applied. For example,
ansible-playbook -e HOSTS=web,ns1,mail CVE-2021-3156_stap_mitigate.yml
To verify the authenticity of the playbook, you can download the detached OpenPGP signature. See the Customer Portal for instructions on using GPG signatures for verification.
Acknowledgements
Red Hat thanks Qualys Security for reporting this flaw.
References
How to use GPG to verify signed content from Product Security
Comments