SUDO CVE-2021-3156 and how to upgrade CentOS 6

Sudo is a powerful utility built in almost all Linux distributions and we have a bad news for you – a recent privilege escalation vulnerability (CVE-2021-3156) has been discovered.

The vulnerability affects all the following sudo versions:

All legacy versions from 1.8.2 to 1.8.31p2
All stable versions from 1.9.0 to 1.9.5p1

A successful exploitation allows any unprivileged user to escalate its privileges to root on the vulnerable host. Of course, since it’s a privilege escalation vulnerability, it requires access to a local user on the vulnerable host in order to actually exploit it.

To test your host for this vulnerability just execute the next command

sudoedit -s /

In case you receive the next response

usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] file ...

your host is safe but in case you receive the something like

sudoedit: /: not a regular file

please upgrade

For CentOS 7 and CentOS 8 this is not a problem (yum -y update sudo) but if you’re using CentOS 6 then there are no way to upgrade from the official mirrors (since CentOS 6 is EOL)

You can download the rpm files from HERE (https://www.sudo.ws/download.html#binary)

Or directly
https://github.com/sudo-project/sudo/releases/download/SUDO_1_9_5p2/sudo-1.9.5-3.el6.x86_64.rpm
https://github.com/sudo-project/sudo/releases/download/SUDO_1_9_5p2/sudo-logsrvd-1.9.5-3.el6.x86_64.rpm

Then install the rpms with

rpm -U sudo-1.9.5-3.el6.x86_64.rpm
rpm -U sudo-logsrvd-1.9.5-3.el6.x86_64.rpm

One thought on “SUDO CVE-2021-3156 and how to upgrade CentOS 6”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.