CVE-2021-3156
Published: 26 January 2021
Summary
CVE-2021-3156 is a high-severity Off-by-one Error (CWE-193) vulnerability in Sudo Project Sudo. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).
Deeper analysis
Sudo before version 1.9.5p2 is affected by an off-by-one error that produces a heap-based buffer overflow, tracked as CVE-2021-3156 and assigned CWE-193. The flaw resides in the command-line argument handling path used by sudoedit when invoked with the -s flag.
Local attackers who are already permitted to run sudoedit can trigger the overflow by supplying a command-line argument that terminates with a single backslash character, resulting in full root privilege escalation on the host. The vulnerability carries a CVSS 3.1 base score of 7.8 under the vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
Public exploit code demonstrating the issue against multiple Sudo releases has been posted to Packet Storm, confirming that working proof-of-concept attacks exist for versions prior to the 1.9.5p2 fix.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-26500
Vulnerability details
Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.
- CWE(s)
- KEV Date Added
- 06 April 2022
Related Threats
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the sudo 1.9.5p2 patch that eliminates the off-by-one heap overflow.
Enforces least-privilege sudoers rules so that only the minimal set of users can ever invoke sudoedit, shrinking the local attacker population.
Allows disabling or restricting the sudoedit binary and its -s flag entirely when those features are not required, blocking the vulnerable code path.