macOS Big Sur 11.2.1 Fixes Root Access Sudo Bug

[MacRumors]

The macOS Big Sur 11.2.1 update that Apple released today fixes a sudo security vulnerability that could allow an attacker to gain root access to a Mac.

According to an Apple security support document, the bug, CVE-2021-3156, was addressed in the update by updating to sudo version 1.9.5p2. Apple has also fixed the bug in Supplemental Updates made available for macOS Catalina 10.15.7 and macOS Mojave 10.14.6.

The updates also include fixes for two bugs that could allow an app to execute arbitrary code with kernel privileges.

Discovered last week, the vulnerability triggers a "heap overflow" in sudo that changes the current user's privileges to enable root-level access, giving an attacker access to the entire system.


Article Link: macOS Big Sur 11.2.1 Fixes Root Access Sudo Bug

 

[luvbug]

Thank you! Much more than a charging bug, for sure.

 

[ruka.snow]

Fantastic. Unlikely to affect me but still good to have the furniture nailed down.

 

[JosephAW]

Reminds me of High Sierra. Waiting for the login “root” user access now.

 

[julesme]

Note to self: Sudo is a command-line tool related to super user access privileges (should have been defined in article IMO).

 

[macrtist67]

The macOS Big Sur 11.2.1 update that Apple released today fixes a sudo security vulnerability that could allow an attacker to gain root access to a Mac.

According to an Apple security support document, the bug, CVE-2021-3156, was addressed in the update by updating to sudo version 1.9.5p2. Apple has also fixed the bug in Supplemental Updates made available for macOS Catalina 10.15.7 and macOS Mojave 10.14.6.

The updates also include fixes for two bugs that could allow an app to execute arbitrary code with kernel privileges.

Discovered last week, the vulnerability triggers a "heap overflow" in sudo that changes the current user's privileges to enable root-level access, giving an attacker access to the entire system.


Article Link: macOS Big Sur 11.2.1 Fixes Root Access Sudo Bug

Hoping & praying that a fix will come to allow my MBP to work off the battery....as soon as I updated to Big Sur...my battery says 1% contact service...now it only works when its plugged in....so much for portability

 

[ArPe]

Is Apple the first? Did other Unix and Linux push out the update too?

 

[neuropsychguy]

Is Apple the first? Did other Unix and Linux push out the update too?

Most major Linux distros have already fixed it.

Examples:
https://ubuntu.com/security/CVE-2021-3156

cve-details

CVE-2021-3156 | SUSE

www.suse.com

https://bodhi.fedoraproject.org/updates/FEDORA-2021-2cb63d912a

 

[svanstrom]

Now if it could just come standard with allowing us to use TouchID instead of typing our password.

 

[chumps52]

Assuming it hasn't yet been fixed in the 11.3 betas?

 

[luvbug]

Y

Now if it could just come standard with allowing us to use TouchID instead of typing our password.

Yubikey smart card login functionality is well integrated into MacOS since Catalina. And it can then be used, with a pin, for just about all MacOS auth dialogs. $45 on AMZ.

 

[macduke]

Is Apple the first? Did other Unix and Linux push out the update too?

I got an email the other day that they were patching our web servers with this at work, so no.

 

[Realityck]

Terrific if it also fixes that sudo security vulnerability besides the issue that could prevent the battery from charging in some 2016 and 2017 MacBook Pro models.

 

[TriBruin]

Now if it could just come standard with allowing us to use TouchID instead of typing our password.

You know that you can enable this feature. Unfortunately, it has to be re-enabled after each update.

Enabling Touch ID authorization for sudo on macOS High Sierra

My colleague @mikeymikey brought this tweet by Cabel Sasser to my attention yesterday: I have a Touch ID-enabled MacBook Pro and use sudo frequently, so I’ve implemented this on my own laptop…

derflounder.wordpress.com

 

[svanstrom]

You know that you can enable this feature. Unfortunately, it has to be re-enabled after each update.

Yup; I tend to get around to doing that only after getting annoyed a bit after every update, though. ?

Edit:

 

[Jerry Fritschle]

Reminds me of High Sierra. Waiting for the login “root” user access now.

I admit I thought of that, too. However, "sudo" is a utility found throughout unix/Linux systems. This was therefore not an "Apple" bug, but rather an update that had to come from upstream

 

[Apple_Robert]

Thank you, Apple. Glad it was taken care of quickly.

 

[hagjohn]

Now if it could just come standard with allowing us to use TouchID instead of typing our password.

Or if you are wearing an unlocked Apple Watch.

 

[sonyc91]

Apple has also fixed the bug in Supplemental Updates made available for macOS Catalina 10.15.7 and macOS Mojave 10.14.6.

Hi, is there any way to fix the bug in older OS X like 10.10 and 10.11 ?

 

[steve333]

They can fix this but they can't fix the favicon issue in the Safari Bookmark menu?

 

[vysyus]

Anyone else having kernel panics when installing? Tried twice already on my MacBook Pro 16. Fortunately, it boots back to 11.2

 

[svanstrom]

Anyone else having kernel panics when installing? Tried twice already on my MacBook Pro 16. Fortunately, it boots back to 11.2

MBP16 here; no problems whatsoever.

 

[TriBruin]

Or if you are wearing an unlocked Apple Watch.

Enabling TouchID, using the link above, for sudo also enables AppleWatch approval.

 

[posguy99]

Hi, is there any way to fix the bug in older OS X like 10.10 and 10.11 ?

Did you check to see if they were subject to it?

 

[Robert.Walter]

Hoping & praying that a fix will come to allow my MBP to work off the battery....as soon as I updated to Big Sur...my battery says 1% contact service...now it only works when its plugged in....so much for portability

With a battery issue like that, sounds more like Bug Sur. ?