Skip to content
 
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(ZDNet)   Sudo make me root   (zdnet.com) divider line
    More: Scary, Sudo, Baron Samedit bug, firm Qualys, major vulnerability, CVE identifier ofCVE-2021-3156, Security, Baron Samedit, technical details  
•       •       •

1333 clicks; posted to STEM » on 27 Jan 2021 at 6:45 PM (5 weeks ago)   |   Favorite    |   share:  Share on Twitter share via Email Share on Facebook



39 Comments     (+0 »)
 
View Voting Results: Smartest and Funniest
 
2021-01-27 4:49:29 PM  
With a nice video of how to exploit the vulnerability.

Egads.
 
2021-01-27 4:54:45 PM  
Fark user imageView Full Size
 
2021-01-27 5:06:47 PM  
Yay, IT security folks are going to be up everyone's ass to get that one patched across their systems.  I sense a lot of admins are not going to have a very nice weekend.
 
2021-01-27 5:23:49 PM  
Free sandwiches for everyone!
 
2021-01-27 5:29:31 PM  
You don't have to sudo if you just log in as root.
 
2021-01-27 5:39:47 PM  

BumpInTheNight: Yay, IT security folks are going to be up everyone's ass to get that one patched across their systems.  I sense a lot of admins are not going to have a very nice weekend.


sudo rm /etc/sudoers.

End of problem!

/why do i have to think of everything
//do not do sudo rm /etc/sudoers
 
2021-01-27 7:00:24 PM  

Marcus Aurelius: BumpInTheNight: Yay, IT security folks are going to be up everyone's ass to get that one patched across their systems.  I sense a lot of admins are not going to have a very nice weekend.

sudo rm /etc/sudoers.

End of problem!

/why do i have to think of everything
//do not do sudo rm /etc/sudoers


I believe removing sudoedit for now will fix the problem.  Also just updating the the most recent sudo should fix it as well.
 
2021-01-27 7:00:50 PM  

BumpInTheNight: Yay, IT security folks are going to be up everyone's ass to get that one patched across their systems.  I sense a lot of admins are not going to have a very nice weekend.


yep, today was patching day. Luckily we only have about 700 to worry about. automated most of it.
 
2021-01-27 7:01:56 PM  

SpectroBoy: [Fark user image image 500x500]


You should be chroot.
 
2021-01-27 7:02:44 PM  

Marcus Aurelius: do not do sudo rm /etc/sudoers


Right, the appropriate answer is "sudo rm -f /usr/bin/sudo"

/You probably shouldn't do that either, but hey, I'm not your supervisor.
 
2021-01-27 7:04:44 PM  
sudo yum update sudo
Don't even need to reboot. Still scared the willies out of me.
 
2021-01-27 7:06:28 PM  
sudo chmod -x /usr/bin/chmod
 
2021-01-27 7:08:36 PM  

Wanebo: With a nice video of how to exploit the vulnerability.

Egads.


That's how it works, but usually they are in contact with the developers prior to releasing it. They have to so that people know how to mitigate it.
 
2021-01-27 7:12:50 PM  
LOL. Just run Windows, nerds!
 
2021-01-27 7:14:56 PM  
imgs.xkcd.comView Full Size


/oblig
 
2021-01-27 7:18:43 PM  

MindStalker: I believe removing sudoedit for now will fix the problem.


At least on my system, "/usr/bin/sudoedit" is a symlink pointing to "sudo". An attacker could create their own symlink with that name in some other directory.
 
2021-01-27 7:22:15 PM  
I don't think I am running a Linux install where a user exists I wouldn't want to have sudo access. I might be unusual there, but no one else uses my systems, so I'm not very concerned, I'm the only user.

This sounds like it's only a problem if you have accounts on your machine you don't want to have sudo access, right?
 
2021-01-27 7:23:18 PM  

ryebread: Marcus Aurelius: do not do sudo rm /etc/sudoers

Right, the appropriate answer is "sudo rm -f /usr/bin/sudo"

/You probably shouldn't do that either, but hey, I'm not your supervisor.


You said to fix it. I fixed it. What's the problem?
 
2021-01-27 7:24:02 PM  

Quantumbunny: I don't think I am running a Linux install where a user exists I wouldn't want to have sudo access. I might be unusual there, but no one else uses my systems, so I'm not very concerned, I'm the only user.

This sounds like it's only a problem if you have accounts on your machine you don't want to have sudo access, right?


Or some script/malware runs as you.
 
2021-01-27 7:25:17 PM  

Quantumbunny: I don't think I am running a Linux install where a user exists I wouldn't want to have sudo access. I might be unusual there, but no one else uses my systems, so I'm not very concerned, I'm the only user.

This sounds like it's only a problem if you have accounts on your machine you don't want to have sudo access, right?


There's a lot of not-user user accounts though, in a chained attack where someone knew a way to get onto your system as like, I dunno, the service user account for some crappy Internet Of Things Fridge's Display GUI, then they could elevated with that service account and now they have root on your crappy Internet Of Things fridge and wander out onto the rest of your network taking over other crappy internet of things devices until they found the one for Nest knock off and muahahaha set the temps a degree above what you want or something like that.

Hypothetically of course.
 
2021-01-27 7:41:36 PM  

BumpInTheNight: Quantumbunny: I don't think I am running a Linux install where a user exists I wouldn't want to have sudo access. I might be unusual there, but no one else uses my systems, so I'm not very concerned, I'm the only user.

This sounds like it's only a problem if you have accounts on your machine you don't want to have sudo access, right?

There's a lot of not-user user accounts though, in a chained attack where someone knew a way to get onto your system as like, I dunno, the service user account for some crappy Internet Of Things Fridge's Display GUI, then they could elevated with that service account and now they have root on your crappy Internet Of Things fridge and wander out onto the rest of your network taking over other crappy internet of things devices until they found the one for Nest knock off and muahahaha set the temps a degree above what you want or something like that.

Hypothetically of course.


You... you MONSTER!

Fark user imageView Full Size
 
d3
2021-01-27 7:46:25 PM  

Quantumbunny: I don't think I am running a Linux install where a user exists I wouldn't want to have sudo access. I might be unusual there, but no one else uses my systems, so I'm not very concerned, I'm the only user.

This sounds like it's only a problem if you have accounts on your machine you don't want to have sudo access, right?


Or if you run a vulnerable network service which gets compromised and then they chain this exploit to elevate from the service account.
 
2021-01-27 8:18:33 PM  

FrancoFile: [imgs.xkcd.com image 360x299]

/oblig


Came here for my super user sub, leaving happily.
 
2021-01-27 8:30:05 PM  

BumpInTheNight: Yay, IT security folks are going to be up everyone's ass to get that one patched across their systems.  I sense a lot of admins are not going to have a very nice weekend.


None of my Windows Server systems seem to be vulnerable to this.
 
2021-01-27 8:55:51 PM  

Mr. Eugenides: None of my Windows Server systems seem to be vulnerable to this.


Au contraire mon frère, if you have WSL installed you need to update it too.
 
2021-01-27 8:58:44 PM  

Mr. Eugenides: BumpInTheNight: Yay, IT security folks are going to be up everyone's ass to get that one patched across their systems.  I sense a lot of admins are not going to have a very nice weekend.

None of my Windows Server systems seem to be vulnerable to this.


One of the few advantages of throwing sacks of money into the Windows Server Licensing furnace I guess? :)

/its not the regular linux servers I'm going to be annoyed with, but my fleets of ESX hosts and all the stupid appliances both virtual and hardware-based that everyone forgets about
 
2021-01-27 9:12:15 PM  

jakedata: sudo yum update sudo
Don't even need to reboot. Still scared the willies out of me.


Yep just did the same. 'cept dnf.
 
2021-01-27 10:09:23 PM  

MindStalker: Marcus Aurelius: BumpInTheNight: Yay, IT security folks are going to be up everyone's ass to get that one patched across their systems.  I sense a lot of admins are not going to have a very nice weekend.

sudo rm /etc/sudoers.

End of problem!

/why do i have to think of everything
//do not do sudo rm /etc/sudoers

I believe removing sudoedit for now will fix the problem.  Also just updating the the most recent sudo should fix it as well.


Nope.
cp 'which sudo' /tmp
/tmp/sudoedit .... p0wned

This is only an issue if you let random people log into your system or use something that does like wordpress or php.  Most modern systems have so much cruft on them that there are several hundred ways to get full privileges from an unprivileged user.

/what ever happened to only load the software you need?
 
2021-01-27 10:16:20 PM  

DON.MAC: MindStalker: Marcus Aurelius: BumpInTheNight: Yay, IT security folks are going to be up everyone's ass to get that one patched across their systems.  I sense a lot of admins are not going to have a very nice weekend.

sudo rm /etc/sudoers.

End of problem!

/why do i have to think of everything
//do not do sudo rm /etc/sudoers

I believe removing sudoedit for now will fix the problem.  Also just updating the the most recent sudo should fix it as well.

Nope.
cp 'which sudo' /tmp
/tmp/sudoedit .... p0wned

This is only an issue if you let random people log into your system or use something that does like wordpress or php.  Most modern systems have so much cruft on them that there are several hundred ways to get full privileges from an unprivileged user.

/what ever happened to only load the software you need?


Defense in depth.

Only load the stuff you need.
Only configure the NAT server to pass the ports you want.
Limit VPN access.
Etc.
 
2021-01-27 10:28:08 PM  

DON.MAC: /what ever happened to only load the software you need?


"DevOps", "Agile", "Move fast and break things" ...etc etc etc....

/I recently grimaced about a developer client that was adamant about getting a static IP for something they were doing but couldn't figure out how to set said IP into their new server's interface...like farking googling was beyond them or something...I wept, and opened a beer since working from home is awesome.
//and it was Windows based, for fark sakes if you can't edit the interface of a windows box with all the resources like google available to you...farking what the fark
///faaarking stupid user.
 
2021-01-27 10:43:05 PM  
Back when Mac OS X 10.5 just came out, I had an overseas flight. While working on my newly-installed update, something crashed and converted my "admin" account to a regular "user" account. Thank jeebus that Mac OS X is Linux/UNIX. I was able to reboot into safe mode (yes, the Mac does have a command prompt accessible during boot) and, after some time, I was able to elevate my privileges back to admin. Yep, I reported that to Apple when I got back on the ground.

This exploit shown in TFA is scary because it not only gives you root, but the method that it uses (guessing the ASLR address) is just genius. Way more difficult than pwning my own Mac.
 
2021-01-28 1:45:36 AM  
I'm so happy to work in the military-industrial complex, somewhere with a whole group devoted to cyber warfare, since this means that I can be assured of getting the latest patched version of sudo... as soon as the IT and security people finish taking their sweet time to thoroughly study it and make sure it's not dangerous.  Like, probably sometime next month.

/sigh
 
2021-01-28 2:27:41 AM  

BumpInTheNight: DON.MAC: /what ever happened to only load the software you need?

"DevOps", "Agile", "Move fast and break things" ...etc etc etc....

/I recently grimaced about a developer client that was adamant about getting a static IP for something they were doing but couldn't figure out how to set said IP into their new server's interface...like farking googling was beyond them or something...I wept, and opened a beer since working from home is awesome.
//and it was Windows based, for fark sakes if you can't edit the interface of a windows box with all the resources like google available to you...farking what the fark
///faaarking stupid user.


Some of us developers don't want to do the server work, that's not where our time is best spent. I've specifically crafted my career around avoiding it as much as possible lol. Can I do it? Sure. Do I want to? No, not really. I just don't have much interest in it. More than that, I don't really want to fark something up at that level. I write code. The 'DevOps' title was invented by companies that didn't want to pay for two positions anymore.

I stopped self-hosting probably a decade ago, there are so many better, cheaper, options. I use AWS, but that's because I have some experience with it.
 
2021-01-28 6:39:39 AM  

phimuskapsi: BumpInTheNight: DON.MAC: /what ever happened to only load the software you need?

"DevOps", "Agile", "Move fast and break things" ...etc etc etc....

/I recently grimaced about a developer client that was adamant about getting a static IP for something they were doing but couldn't figure out how to set said IP into their new server's interface...like farking googling was beyond them or something...I wept, and opened a beer since working from home is awesome.
//and it was Windows based, for fark sakes if you can't edit the interface of a windows box with all the resources like google available to you...farking what the fark
///faaarking stupid user.

Some of us developers don't want to do the server work, that's not where our time is best spent. I've specifically crafted my career around avoiding it as much as possible lol. Can I do it? Sure. Do I want to? No, not really. I just don't have much interest in it. More than that, I don't really want to fark something up at that level. I write code. The 'DevOps' title was invented by companies that didn't want to pay for two positions anymore.

I stopped self-hosting probably a decade ago, there are so many better, cheaper, options. I use AWS, but that's because I have some experience with it.


Okay that's all stuff I can agree with, especially the true origin story of the devops concept, though I do enjoy the idea of dev teams that release buggy POSes having to actually deal with the problems themselves instead of passing the buck onto the support teams now and then.
 
2021-01-28 8:07:43 AM  

phimuskapsi: BumpInTheNight: DON.MAC:

I stopped self-hosting probably a decade ago, there are so many better, cheaper, options. I use AWS, but that's because I have some experience with it.

Okay that's all stuff I can agree with, especially the true origin story of the devops concept, though I do enjoy the idea of dev teams that release buggy POSes having to actually deal with the problems themselves instead of passing the buck onto the support teams now and then.


So much this.  "Why does it take so long to build a server?", "Why do you keep asking what software we need installed?  Just give us our server the way we want it!", "But we don't want to upgrade!"

Fine... build it yourself. Oh, and you are now responsible for patching and audits.  "Audits?" Yep. Every month some customer sends in their auditors.  They are lots of fun to deal with.  Enjoy!

The pendulum will swing back to having a server support group take care of all that stuff.
 
2021-01-28 8:53:28 AM  

BumpInTheNight: Quantumbunny: I don't think I am running a Linux install where a user exists I wouldn't want to have sudo access. I might be unusual there, but no one else uses my systems, so I'm not very concerned, I'm the only user.

This sounds like it's only a problem if you have accounts on your machine you don't want to have sudo access, right?

There's a lot of not-user user accounts though, in a chained attack where someone knew a way to get onto your system as like, I dunno, the service user account for some crappy Internet Of Things Fridge's Display GUI, then they could elevated with that service account and now they have root on your crappy Internet Of Things fridge and wander out onto the rest of your network taking over other crappy internet of things devices until they found the one for Nest knock off and muahahaha set the temps a degree above what you want or something like that.

Hypothetically of course.


Actually once they reach your Nest they'll just force the heat to turn off in the winter while you're out of the house. Then your pipes freeze.
 
2021-01-28 9:01:15 AM  
Hunh, installed updated sudo package a day prior to when the article claimed it was out.
Go figure.
 
2021-01-28 9:17:41 AM  
You mean, apart from doing...

sudo su -

Yeah?  Because that's an apparently legit way to make yourself root using sudo
 
2021-01-28 9:39:28 AM  

NkThrasher: You mean, apart from doing...

sudo su -

Yeah?  Because that's an apparently legit way to make yourself root using sudo


Only if you already have permission.
 
Displayed 39 of 39 comments

View Voting Results: Smartest and Funniest

This thread is closed to new comments.

Continue Farking





On Twitter



  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.