Wind River Support Network

HomeSafety and Security NoticesWind River Security Vulnerability Notice: Heap-based buffer overflow in Sudo, CVE-2021-3156
Recommended

Wind River Security Vulnerability Notice: Heap-based buffer overflow in Sudo, CVE-2021-3156

Released: --

Summary

Wind River Security Vulnerability Notice: CVE-2021-3156 of sudo may effect on Wind River Linux


Affected Product Versions

Wind River Linux CD, Wind River Linux LTS 19, Wind River Linux LTS 18, Wind River Linux LTS 17, Wind River Linux 9

Description

CVE-2021-3156


A heap-based buffer overflow in Sudo was found. This vulnerability:
  • is exploitable by any local user (normal users and system users, sudoers and non-sudoers), without authentication (i.e., the attacker does not need to know the user's password);
  • was introduced in July 2011 (commit 8255ed69), and affects all legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1, in their default configuration.

Affected Windriver Linux releases:

All releases including Wind River Linux LTS 19, Wind River Linux LTS 18, Wind River Linux LTS 17, Wind River Linux 9...

Affected software components:

sudo

Affected hardware:

This is a pure software issue.

Mitigation

All WRLinux releases effected by this issue and need source patches to avoid it. For details please contact our support team.


Additional References

cve.mitre.org: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3156

Warnning from SUDO community: https://www.sudo.ws/alerts/unescape_overflow.html

Technical description: https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit

Upstream git tree: https://github.com/sudo-project/sudo
Official patches:
https://github.com/sudo-project/sudo/commit/c0eecf85c8b0920a9398920d5f5dae0ee2804b46
https://github.com/sudo-project/sudo/commit/0754533d2445c93a380c362a185b5464c417455e
https://github.com/sudo-project/sudo/commit/1f8638577d0c80a4ff864a2aad80a0d95488e9a8
https://github.com/sudo-project/sudo/commit/c4d384082fdbc8406cf19e08d05db4cded920a55
https://github.com/sudo-project/sudo/commit/b301b46b79c6e2a76d530fa36d05992e74952ee8



Changelog

  • 1/19/2021: Initial
  • 1/26/2021: Add upstream description and resolution. Public.

Installation Notes

Please contact our support team to get detailed method to mitigate this CVE issue.


Live chat
Online