The vulnerability, disclosed last week as CVE-2021-3156 (aka Baron Samedit) by security researchers from Qualys, impacts Sudo, an app that allows admins to delegate limited root access to other users. Qualys researchers discovered that they could trigger a “heap overflow” bug in the Sudo app to change the current user’s low-privileged access to root-level commands, granting the attacker access to the whole system. The only condition to exploit this bug was that an attacker gain access to a system, which researchers said could be done by either planting malware on a device or brute-forcing a low-privileged service account. In their report last week, Qualys researchers said they only tested the issue on Ubuntu, Debian, and Fedora. They said that are UNIX-like operating systems are also impacted, but most security researchers thought the bug might impact BSD, another major OS that also ships with the Sudo app.
Latest MacOS version also impacted
But as Matthew Hickey, the co-founder of Hacker House, pointed out on Twitter today, the recent version of MacOS also ships with the Sudo app. Hickey said he tested the CVE-2021-3156 vulnerability and found that with a few modifications, the security bug could be used to grant attackers access to MacOS root accounts as well. “To trigger it, you just have to overwrite argv[0] or create a symlink, which therefore exposes the OS to the same local root vulnerability that has plagued Linux users the last week or so,” Hickey told ZDNet today, prior to sharing a video of the bug in question. His findings were also privately and independently verified and confirmed to ZDNet by Patrick Wardle, one of today’s leading MacOS security experts, and publicly by Will Dormann, a vulnerability analyst at the Carnegie Mellon University’s CERT Coordination Center. Hickey told ZDNet the bug could be exploited in the recent version of MacOS, even after applying the recent security patches Apple released on Monday. The researcher said he notified Apple of the issue earlier today. Apple declined to comment as it investigates the report; however, even without an official confirmation from the Cupertino-based tech giant, a patch is most likely expected for such a serious issue. In addition, other researchers found that the bug could also be exploited on IBM AIX systems.