Earlier this year, Qualys discovered a heap-based buffer overflow in Sudo, named ‘Baron Samedit’ (CVE-2021-3156).
Baron Samedit
A vulnerability in the command line parameter parsing code of Sudo could allow an attacker with access to Sudo to execute commands or binaries with root privileges. Baron Samedit is exploitable by any local user (normal users and system users, sudoers, and non-sudoers), without authentication.
Baron Samedit is the combination of two bugs. First, the out-of-bounds character bug is part of the ‘fixed’ provided by Sudo in July 2011. The second is the heap-based buffer overflow.
Previously in Sudo, spaces in the command arguments were not treated properly. Commit 8255ed69 insists on escaping the command line arguments before calling the Sudoedit plugin. Considering the fact
that these bugs aren’t exploitable on their own, this little arrangement helped to exploit heap buffer overflow vulnerability.
The Return of Baron Samedit
Hewlett Packard Enterprise (HPE) is warning that Sudo vulnerability could allow any unprivileged and unauthenticated local user to gain root privileges on a vulnerable instance of Aruba AirWave Management Platforms. The Aruba AirWave management platform is HPE’s real-time monitoring and security alert system for wired and wireless infrastructures which uses Sudo, an open-source program that allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user.
According to a recent HPE Security Bulletin, “The Sudo flaw could be part of a “chained attack” where an attacker has achieved a foothold with lower privileges via another vulnerability and then uses this to escalate privileges”. The Sudo bug lets any local user trick Sudo into running in “shell” mode. When Sudo is running in shell mode, it escapes special characters in the command’s arguments with a backslash. Then, a policy plug-in removes any escape characters before deciding on the Sudo user’s permissions.
In the context of the Aruba AirWave management platform, the bug could be used to carry out privilege escalation attacks. “By triggering a ‘heap overflow’ in the app, it becomes possible to change a user’s low-privilege access to that of a root-level user. This is possible either by planting malware on a device or carrying out a brute force attack on a low-privilege Sudo account,” researchers explained.
The vulnerability was discovered in Aruba’s Bug Bounty Program and was assigned an ID of CVE-2021-37715. HPE report explained, ”A vulnerability within the web-based management interface of AirWave could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface.”
Affected Versions
AirWave Management Platform prior to 8.2.13.0
Mitigations
Upgrade AirWave Management Platform to 8.2.13.0 and above.
HPE also suggests a technical workaround for HPE AirWave customers:
The CLI and web-based management interfaces for AirWave be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above.
References
https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbnw04188en_us
https://threatpost.com/hpe-sudo-bug-aruba-platform/169038/
https://github.com/sudo-project/sudo/commit/8255ed69
https://www.sudo.ws/alerts/unescape_overflow.html
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-015.txt