Recent root-giving Sudo bug also impacts macOS

Topic

New Reply

A bug in the Sudo app can let attackers with access to a local system to elevate their access to a root-level account.

A British security researcher has discovered today that a recent security flaw in the Sudo app also impacts the macOS operating system, and not just Linux and BSD, as initially believed.
The vulnerability, disclosed last week as CVE-2021-3156 (aka Baron Samedit) by security researchers from Qualys, impacts Sudo, an app that allows admins to delegate limited root access to other users..

https://www.zdnet.com/article/recent-root-giving-sudo-bug-also-impacts-macos/

1 user thanked author for this post.

Nathan Parker

Reply | Quote

Replies

[OscarCP]

According to the article this bug can be exploited only by someone who has access to one’s computer, be it by directly laying hands on, and then logging-in to it, or by being given or gaining somehow root access via remote login. So it is not surprising this vulnerability has not come up to people’s attention until recently, when someone directly pointed out at the possibility of exploiting it.

Curious that ‘sudo’ is referred to as an “app” in the article, when in fact is a pretty important command-line instruction which corresponding software is part of the OS.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

• This reply was modified 4 years, 2 months ago by OscarCP.

2 users thanked author for this post.

Nathan Parker, bassmanzam

Reply | Quote

OscarCP wrote:

According to the article this bug can be exploited only by someone who has access to one’s computer, be it by directly laying hands on, and then logging-in to it, or by being given or gaining somehow root access via remote login.

Ehm, that last part… someone gaining unprivileged access by remote login (or a command-execution vulnerability in other software), can use this vulnerability to gain root access.

And I’m fairly sure I mentioned already that this thing probably works on lots of Unix-type operating systems. That ZDNet article refers to someone verifying that this is so on AIX at least.

1 user thanked author for this post.

Nathan Parker

Reply | Quote

mn- “Ehm, that last part… ”

That is why I wrote the word “somehow” in there so as not to go into the details. Thanks for providing the details.

My point is that this is a bug that, yes, can be exploited, but is not easy to exploit. And people that are careful about where they leave their computer unattended or never take it away from home, and also take some basic precautions to keep out and, if already in, root out malware, are unlikely to be afflicted by someone making malevolent use of this bug. That might explain while it has come to people’s attention only now that was discovered by someone who then pointed to it, after many years of quietly lying ensconced in the guts of the OS.

And a quick Web search shows the bug is common to Linux, FreeBSD, macOS and several other UNIX-like operating systems.

How to check to see if one has the bug and fix it, in several Linux distributions:

https://fossbytes.com/linux-sudo-bug-baron-semedit-fixed-how-to-update-system/

 

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

Nathan Parker

Reply | Quote

OscarCP wrote:

Curious that ‘sudo’ is referred to as an “app” in the article, when in fact is a pretty important command-line instruction which corresponding software is part of the OS.

It’s an external command, meaning that when one types ‘sudo [something]’, the shell is calling the sudo application and passing the value of the parameter(s) [something] to it, rather than it being interpreted as an internal command within the shell itself. The reference to it as ‘app’ is an annoying example of this trend to call every program an ‘app,’ because that’s what all the cool kids are callin’ em these days. To extend that even to internal commands is yet another unfortunate step in that direction.

To me, “app” is a downsized, self-contained, touch-oriented program for a phone or tablet. The word itself is a shortened version of “application,” which for me originated as a full-scale program meant to do something important, like a full-featured terminal program (like Telix or Procomm Plus back in the day) or a productivity program like Lotus 1-2-3. Downsized, non-full-featured graphical programs (like those that came with Windows) were called “applets,” with the diminutive form denoting their subordinate status compared to full applications on that same platform. “Wordpad” or “Paintbrush” were applets, while “Word for Windows” or “Corel Draw” were applications.

When smartphones appeared, the term “apps” appeared along with it, at least to my knowledge. It too is a diminutive form of “applications,” and it references the simplified, touch-oriented nature of phone programs versus those on the PC (as well as its self-contained packaging), but without the direct reference to “full” applications within that same platform that is inherent within the term “applet.”

Phones have gotten more powerful since then, and some “apps” are quite complex now, but they’re still touch-oriented, with a simplified UI, and are self-contained in a way that PC programs usually are not. Some attempts are being made to bring some or all of that to the PC, via UWP in Windows or Snap in Linux, for example, but IMO, the convention as far as nomenclature is already set. A phone or tablet’s native program is an app, and a PC’s isn’t. Call it a program, an application, an executable, an external command, or an applet (though that term is pretty much obsolete now, with “application” having taken over the full size spectrum), but please, not an app! It’s a phone term that was deliberately (as best I can tell) meant to be different than the existing terms for computer programs, so what is the point in backporting the term to the very platform from which it was meant to be distinct?

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

1 user thanked author for this post.

Nathan Parker

Reply | Quote

Ascaris: “Call it a program, an application, an executable, an external command, or an applet (though that term is pretty much obsolete now, with “application” having taken over the full size spectrum), but please, not an app!”

Quite so. How about ‘utility program’ or ‘utility software’?

When someone is writing about such a basic, necessary and important thing as “sudo”, that comes wrapped-in with UNIX and any UNIX-derived OS I’ve ever heard of and calls it “an app”, I do wonder how much the writer knows about what he or she is writing about.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

Nathan Parker

Reply | Quote

Alex5723 wrote:

A bug in the Sudo app can let attackers with access to a local system to elevate their access to a root-level account.

A British security researcher has discovered today that a recent security flaw in the Sudo app also impacts the macOS operating system, and not just Linux and BSD, as initially believed.
The vulnerability, disclosed last week as CVE-2021-3156 (aka Baron Samedit) by security researchers from Qualys, impacts Sudo, an app that allows admins to delegate limited root access to other users..

https://www.zdnet.com/article/recent-root-giving-sudo-bug-also-impacts-macos/

The vulnerability has been fixed in Mojave 2021-002 and Catalina 10.15.7 Supplemental Update (which is actually supplemental to 2021-001 and is listed as 2021-001 Security Update on the Apple Support site).

https://support.apple.com/en-us/HT212177

The updates are available from Software Update or as standalone updaters from the Apple Support Download site.

The 2021-002 Mojave update contains the fixes from 2021-001 and supersedes it. The Catalina update also contains the fixes from 2021-001 and supersedes it.

I have installed 2021-002 on my Mac mini 2018 and no apparent issues have been found.

Hope for the best. Prepare for the worst.

1 user thanked author for this post.

OscarCP

Reply | Quote