Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

MacRumors

macrumors bot
Original poster
Apr 12, 2001
54,690
16,872


A sudo bug that can grant an attacker root access has been discovered to affect macOS Big Sur (via ZDNet).

sudo-bug-macos.jpg


The security vulnerability, identified last week as "CVE-2021-3156" by the Qualys Security Team, affects sudo, which is a program that allows users to run commands with the security privileges of another user, such as an administrator. The bug triggers a "heap overflow" in sudo that changes the current user's privileges to enable root-level access. This can give an attacker access to the entire system. An attacker would need to gain low-level access to a system first to be able to exploit the bug, such as via planted malware.

Sudo is part of many Unix-like systems, including macOS, but it was initially unknown if the vulnerability affected Mac machines since it was only tested by Qualys on Ubuntu, Debian, and Fedora. Security researcher Matthew Hickey has now confirmed that the most recent version of macOS, macOS Big Sur 11.2 can be subject to the sudo attack.



Last week, there was speculation that the macOS Big Sur 11.2 update may address the sudo vulnerability, though it was not definitively known at the time if the bug would affect macOS. While it was found that sudo was left unchanged in macOS Big Sur 11.2, it is now clear that macOS is affected by the exploit.

With some minor modifications, Hickey found that the sudo bug could be used to grant attackers access to macOS root accounts, and the discovery has now been verified by Carnegie Mellon University vulnerability analyst Will Dormann.



Apple has reportedly been notified of the CVE-2021-3156 vulnerability, and due to the severity of the issue, a patch will likely be released soon.

Article Link: Root Access Sudo Bug Found to Affect macOS Big Sur
 
  • Like
  • Wow
Reactions: DeepIn2U and rafark

||\||

Suspended
Nov 21, 2019
419
683
This vulnerability has been present for more than a decade in all sorts of UNIXes! It's not something at all limited to Apple's QA...
So, mostly free OSes. That's not much of a defense....

Devs knew about the potential, and chose not to address it. They would rather rush a beta product to market.

"Last week, there was speculation that the macOS Big Sur 11.2 update may address the sudo vulnerability, though it was not definitively known at the time if the bug would affect macOS. While it was found that sudo was left unchanged in macOS Big Sur 11.2, it is now clear that macOS is affected by the exploit."
 
Last edited:

tjx

macrumors newbie
Jun 13, 2012
6
1
Does this bug affect su as well? I run a non administrator account as my main user account, so sudo doesn’t work.
 

ArtOfWarfare

macrumors G3
Nov 26, 2007
9,329
5,476
I'd think we'd have better tools/procedures for finding bugs like this a lot sooner.

Is there not an automated tool that can look at some code and say "hey, right here it's possible for a heap overflow to occur and there's no error handling code to deal with it"?
 
  • Like
Reactions: xmach

AttoA

macrumors newbie
Feb 1, 2021
27
134
Does this bug affect su as well? I run a non administrator account as my main user account, so sudo doesn’t work.
This bug affects all (at least non-ancient) versions of macOS. The exploit works on all types of account, not just administrators, so you are also vulnerable (for now).
 

opfor

macrumors member
Jul 27, 2014
30
37
I'd think we'd have better tools/procedures for finding bugs like this a lot sooner.

Is there not an automated tool that can look at some code and say "hey, right here it's possible for a heap overflow to occur and there's no error handling code to deal with it"?
Sure there are tools that catch some of these problems via static analysis etc and there are languages where this class of problems might not even occur.

But it is also true that the day that the CVE was released I updated my Linux servers and got a fixed/patched sudo, while even macOS 11.3 beta1 still has the issue, so this is also indicative of Apple release engineering capabilities, or lack of them.
 

laz232

macrumors 6502a
Feb 4, 2016
674
1,318
At a café near you
Does this bug affect su as well? I run a non administrator account as my main user account, so sudo doesn’t work.
Annoying that the Macrumors (and others) don't explicitly mention, but yes - I think the bug exists for most macOS versions and does not require a user that is in the sudo list, as per:
"Formally cataloged as CVE-2021-3156, the vulnerability has been named Baron Samedit. The moniker seems to be a play on Baron Samedi and the sudoedit utility since the latter is used in one of the exploit paths. By exploiting this vulnerability, any unprivileged local user can have unfettered root privileges on the vulnerable host. In more technical terms, the bug involves controlling the size of the “user_args” buffer (which is meant for sudoers matching and logging) in order to perform the buffer overflow and incorrectly unescape backslashes in the arguments to obtain root privileges."
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.