CVE-2021-3156

Sudo Heap-Based Buffer Overflow Vulnerability

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

*SSVC

Descriptions

Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.

Sudo versiones anteriores a 1.9.5p2 contiene un error de desbordamiento que puede resultar en un desbordamiento de búfer basado en la pila, lo que permite la escalada de privilegios a root a través de "sudoedit -s" y un argumento de línea de comandos que termina con un solo carácter de barra invertida

A flaw was found in sudo. A heap-based buffer overflow was found in the way sudo parses command line arguments. This flaw is exploitable by any local user who can execute the sudo command (by default, any local user can execute sudo) without authentication. Successful exploitation of this flaw could lead to privilege escalation. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Qualys has released extensive research details regarding a heap-based buffer overflow vulnerability in sudo. The issue was introduced in July 2011 (commit 8255ed69), and affects all legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1, in their default configuration.

Sudo contains an off-by-one error that can result in a heap-based buffer overflow, which allows for privilege escalation.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-01-15 CVE Reserved
2021-01-26 CVE Published
2021-01-26 First Exploit
2022-04-06 Exploited in Wild
2022-04-27 KEV Due Date
2024-09-18 CVE Updated
2024-10-28 EPSS Updated

CWE

CWE-122: Heap-based Buffer Overflow
CWE-193: Off-by-one Error

CAPEC

References (86)

URL	Tag	Source
http://seclists.org/fulldisclosure/2021/Feb/42	Mailing List
http://www.openwall.com/lists/oss-security/2021/01/27/1	Mailing List
http://www.openwall.com/lists/oss-security/2021/01/27/2	Mailing List
http://www.openwall.com/lists/oss-security/2024/01/30/8	Mailing List
https://kc.mcafee.com/corporate/index?page=content&id=SB10348	Broken Link
https://lists.debian.org/debian-lts-announce/2021/01/msg00022.html	Mailing List
https://security.netapp.com/advisory/ntap-20210128-0001	Third Party Advisory
https://security.netapp.com/advisory/ntap-20210128-0002	Third Party Advisory
https://support.apple.com/kb/HT212177	Third Party Advisory
https://www.beyondtrust.com/blog/entry/security-advisory-privilege-management-for-unix-linux-pmul-basic-and-privilege-management-for-mac-pmm-affected-by-sudo-vulnerability	Third Party Advisory
https://www.kb.cert.org/vuls/id/794544	Third Party Advisory
https://www.sudo.ws/stable.html#1.9.5p2	Release Notes
https://www.synology.com/security/advisory/Synology_SA_21_02	Third Party Advisory
https://www.vicarius.io/vsociety/posts/sudoedit-pwned-cve-2021-3156
https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
https://www.kalmarunionen.dk/writeups/sudo
https://github.com/blasty/CVE-2021-3156/blob/main/hax.c

URL	Date	SRC
https://www.exploit-db.com/exploits/49521	2021-02-03
https://www.exploit-db.com/exploits/49522	2021-02-03
https://github.com/blasty/CVE-2021-3156	2021-02-01
https://github.com/worawit/CVE-2021-3156	2021-07-23
https://github.com/stong/CVE-2021-3156	2021-02-08
https://github.com/reverse-ex/CVE-2021-3156	2021-01-31
https://github.com/CptGibbon/CVE-2021-3156	2022-01-20
https://github.com/Rvn0xsy/CVE-2021-3156-plus	2021-02-09
https://github.com/mr-r3b00t/CVE-2021-3156	2021-01-26
https://github.com/0xdevil/CVE-2021-3156	2021-12-03
https://github.com/unauth401/CVE-2021-3156	2021-01-27
https://github.com/mbcrump/CVE-2021-3156	2021-01-31
https://github.com/teamtopkarl/CVE-2021-3156	2021-01-31
https://github.com/kernelzeroday/CVE-2021-3156-Baron-Samedit	2021-01-29
https://github.com/jm33-m0/CVE-2021-3156	2021-02-09
https://github.com/apogiatzis/docker-CVE-2021-3156	2021-01-31
https://github.com/PhuketIsland/CVE-2021-3156-centos7	2022-11-03
https://github.com/baka9moe/CVE-2021-3156-Exp	2021-01-28
https://github.com/chenaotian/CVE-2021-3156	2022-05-23
https://github.com/dinhbaouit/CVE-2021-3156	2021-02-03
https://github.com/1N53C/CVE-2021-3156-PoC	2021-02-06
https://github.com/elbee-cyber/CVE-2021-3156-PATCHER	2021-01-28
https://github.com/Q4n/CVE-2021-3156	2021-01-31
https://github.com/ph4ntonn/CVE-2021-3156	2021-01-28
https://github.com/oneoy/CVE-2021-3156	2021-02-01
https://github.com/CyberCommands/CVE-2021-3156	2021-08-07
https://github.com/Mhackiori/CVE-2021-3156	2022-07-15
https://github.com/lmol/CVE-2021-3156	2021-03-25
https://github.com/kal1gh0st/CVE-2021-3156	2021-05-04
https://github.com/musergi/CVE-2021-3156	2021-12-01
https://github.com/PurpleOzone/PE_CVE-CVE-2021-3156	2023-05-13
https://github.com/ymrsmns/CVE-2021-3156	2021-01-31
https://github.com/RodricBr/CVE-2021-3156	2022-08-19
https://github.com/EthicalSecurity-Agency/Y3A-CVE-2021-3156	2021-09-07
https://github.com/halissha/CVE-2021-3156	2021-10-20
https://github.com/barebackbandit/CVE-2021-3156	2022-01-30
https://github.com/donghyunlee00/CVE-2021-3156	2021-06-25
https://github.com/freeFV/CVE-2021-3156	2021-01-29
https://github.com/Typical0day/CVE-2021-3156	2024-07-08
https://github.com/ZTK-009/CVE-2021-3156	2021-02-01
https://github.com/arvindshima/CVE-2021-3156	2022-06-24
https://github.com/wurwur/CVE-2021-3156	2024-01-22
https://github.com/0x7183/CVE-2021-3156	2021-08-17
https://github.com/BearCat4/CVE-2021-3156	2021-03-30
https://github.com/puckiestyle/CVE-2021-3156	2022-03-04
http://packetstormsecurity.com/files/161160/Sudo-Heap-Based-Buffer-Overflow.html	2024-09-18
http://packetstormsecurity.com/files/161230/Sudo-Buffer-Overflow-Privilege-Escalation.html	2024-09-18
http://packetstormsecurity.com/files/161270/Sudo-1.9.5p1-Buffer-Overflow-Privilege-Escalation.html	2024-09-18
http://packetstormsecurity.com/files/161293/Sudo-1.8.31p2-1.9.5p1-Buffer-Overflow.html	2024-09-18
http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Overflow.html	2024-09-18
http://seclists.org/fulldisclosure/2021/Jan/79	2024-09-18
http://seclists.org/fulldisclosure/2024/Feb/3	2024-09-18
http://www.openwall.com/lists/oss-security/2021/01/26/3	2024-09-18
http://www.openwall.com/lists/oss-security/2021/02/15/1	2024-09-18
http://www.openwall.com/lists/oss-security/2024/01/30/6	2024-09-18
https://www.openwall.com/lists/oss-security/2021/01/26/3	2024-09-18

URL	Date	SRC
http://www.openwall.com/lists/oss-security/2021/09/14/2	2024-07-09
https://www.oracle.com//security-alerts/cpujul2021.html	2024-07-09
https://www.oracle.com/security-alerts/cpuapr2022.html	2024-07-09
https://www.oracle.com/security-alerts/cpuoct2021.html	2024-07-09

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CALA5FTXIQBRRYUA2ZQNJXB6OQMAXEII	2024-07-09
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LHXK6ICO5AYLGFK2TAX5MZKUXTUKWOJY	2024-07-09
https://security.gentoo.org/glsa/202101-33	2024-07-09
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sudo-privesc-jan2021-qnYQfcM	2024-07-09
https://www.debian.org/security/2021/dsa-4839	2024-07-09
https://access.redhat.com/security/cve/CVE-2021-3156	2021-02-03
https://bugzilla.redhat.com/show_bug.cgi?id=1917684	2021-02-03
https://access.redhat.com/security/vulnerabilities/RHSB-2021-002	2021-02-03

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Synology Search vendor "Synology"	Skynas Firmware Search vendor "Synology" for product "Skynas Firmware"	-	-	Affected	in	Synology Search vendor "Synology"	Skynas Search vendor "Synology" for product "Skynas"	-	-	Safe
Synology Search vendor "Synology"	Vs960hd Firmware Search vendor "Synology" for product "Vs960hd Firmware"	-	-	Affected	in	Synology Search vendor "Synology"	Vs960hd Search vendor "Synology" for product "Vs960hd"	-	-	Safe
Oracle Search vendor "Oracle"	Micros Compact Workstation 3 Firmware Search vendor "Oracle" for product "Micros Compact Workstation 3 Firmware"	310 Search vendor "Oracle" for product "Micros Compact Workstation 3 Firmware" and version "310"	-	Affected	in	Oracle Search vendor "Oracle"	Micros Compact Workstation 3 Search vendor "Oracle" for product "Micros Compact Workstation 3"	-	-	Safe
Oracle Search vendor "Oracle"	Micros Es400 Firmware Search vendor "Oracle" for product "Micros Es400 Firmware"	>= 400 <= 410 Search vendor "Oracle" for product "Micros Es400 Firmware" and version " >= 400 <= 410"	-	Affected	in	Oracle Search vendor "Oracle"	Micros Es400 Search vendor "Oracle" for product "Micros Es400"	-	-	Safe
Oracle Search vendor "Oracle"	Micros Kitchen Display System Firmware Search vendor "Oracle" for product "Micros Kitchen Display System Firmware"	210 Search vendor "Oracle" for product "Micros Kitchen Display System Firmware" and version "210"	-	Affected	in	Oracle Search vendor "Oracle"	Micros Kitchen Display System Search vendor "Oracle" for product "Micros Kitchen Display System"	-	-	Safe
Oracle Search vendor "Oracle"	Micros Workstation 5a Firmware Search vendor "Oracle" for product "Micros Workstation 5a Firmware"	5a Search vendor "Oracle" for product "Micros Workstation 5a Firmware" and version "5a"	-	Affected	in	Oracle Search vendor "Oracle"	Micros Workstation 5a Search vendor "Oracle" for product "Micros Workstation 5a"	-	-	Safe
Oracle Search vendor "Oracle"	Micros Workstation 6 Firmware Search vendor "Oracle" for product "Micros Workstation 6 Firmware"	>= 610 <= 655 Search vendor "Oracle" for product "Micros Workstation 6 Firmware" and version " >= 610 <= 655"	-	Affected	in	Oracle Search vendor "Oracle"	Micros Workstation 6 Search vendor "Oracle" for product "Micros Workstation 6"	-	-	Safe
Sudo Project Search vendor "Sudo Project"		Sudo Search vendor "Sudo Project" for product "Sudo"				>= 1.8.2 < 1.8.32 Search vendor "Sudo Project" for product "Sudo" and version " >= 1.8.2 < 1.8.32"		-		Affected
Sudo Project Search vendor "Sudo Project"		Sudo Search vendor "Sudo Project" for product "Sudo"				>= 1.9.0 < 1.9.5 Search vendor "Sudo Project" for product "Sudo" and version " >= 1.9.0 < 1.9.5"		-		Affected
Sudo Project Search vendor "Sudo Project"		Sudo Search vendor "Sudo Project" for product "Sudo"				1.9.5 Search vendor "Sudo Project" for product "Sudo" and version "1.9.5"		-		Affected
Sudo Project Search vendor "Sudo Project"		Sudo Search vendor "Sudo Project" for product "Sudo"				1.9.5 Search vendor "Sudo Project" for product "Sudo" and version "1.9.5"		patch1		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				32 Search vendor "Fedoraproject" for product "Fedora" and version "32"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				33 Search vendor "Fedoraproject" for product "Fedora" and version "33"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Netapp Search vendor "Netapp"		Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager"				-		vmware_vsphere		Affected
Netapp Search vendor "Netapp"		Cloud Backup Search vendor "Netapp" for product "Cloud Backup"				-		-		Affected
Netapp Search vendor "Netapp"		Hci Management Node Search vendor "Netapp" for product "Hci Management Node"				-		-		Affected
Netapp Search vendor "Netapp"		Oncommand Unified Manager Core Package Search vendor "Netapp" for product "Oncommand Unified Manager Core Package"				-		-		Affected
Netapp Search vendor "Netapp"		Ontap Select Deploy Administration Utility Search vendor "Netapp" for product "Ontap Select Deploy Administration Utility"				-		-		Affected
Netapp Search vendor "Netapp"		Ontap Tools Search vendor "Netapp" for product "Ontap Tools"				9 Search vendor "Netapp" for product "Ontap Tools" and version "9"		vmware_vsphere		Affected
Netapp Search vendor "Netapp"		Solidfire Search vendor "Netapp" for product "Solidfire"				-		-		Affected
Mcafee Search vendor "Mcafee"		Web Gateway Search vendor "Mcafee" for product "Web Gateway"				8.2.17 Search vendor "Mcafee" for product "Web Gateway" and version "8.2.17"		-		Affected
Mcafee Search vendor "Mcafee"		Web Gateway Search vendor "Mcafee" for product "Web Gateway"				9.2.8 Search vendor "Mcafee" for product "Web Gateway" and version "9.2.8"		-		Affected
Mcafee Search vendor "Mcafee"		Web Gateway Search vendor "Mcafee" for product "Web Gateway"				10.0.4 Search vendor "Mcafee" for product "Web Gateway" and version "10.0.4"		-		Affected
Synology Search vendor "Synology"		Diskstation Manager Search vendor "Synology" for product "Diskstation Manager"				6.2 Search vendor "Synology" for product "Diskstation Manager" and version "6.2"		-		Affected
Synology Search vendor "Synology"		Diskstation Manager Unified Controller Search vendor "Synology" for product "Diskstation Manager Unified Controller"				3.0 Search vendor "Synology" for product "Diskstation Manager Unified Controller" and version "3.0"		-		Affected
Beyondtrust Search vendor "Beyondtrust"		Privilege Management For Mac Search vendor "Beyondtrust" for product "Privilege Management For Mac"				< 21.1.1 Search vendor "Beyondtrust" for product "Privilege Management For Mac" and version " < 21.1.1"		-		Affected
Beyondtrust Search vendor "Beyondtrust"		Privilege Management For Unix\/linux Search vendor "Beyondtrust" for product "Privilege Management For Unix\/linux"				< 10.3.2-10 Search vendor "Beyondtrust" for product "Privilege Management For Unix\/linux" and version " < 10.3.2-10"		basic		Affected
Oracle Search vendor "Oracle"		Communications Performance Intelligence Center Search vendor "Oracle" for product "Communications Performance Intelligence Center"				>= 10.3.0.0.0 <= 10.3.0.2.1 Search vendor "Oracle" for product "Communications Performance Intelligence Center" and version " >= 10.3.0.0.0 <= 10.3.0.2.1"		-		Affected
Oracle Search vendor "Oracle"		Communications Performance Intelligence Center Search vendor "Oracle" for product "Communications Performance Intelligence Center"				>= 10.4.0.1.0 <= 10.4.0.3.1 Search vendor "Oracle" for product "Communications Performance Intelligence Center" and version " >= 10.4.0.1.0 <= 10.4.0.3.1"		-		Affected
Oracle Search vendor "Oracle"		Tekelec Platform Distribution Search vendor "Oracle" for product "Tekelec Platform Distribution"				>= 7.4.0 <= 7.7.1 Search vendor "Oracle" for product "Tekelec Platform Distribution" and version " >= 7.4.0 <= 7.7.1"		-		Affected