Fixing sudo vulnerability CVE-2021–3156

In this post, we’ll see how to check whether our sudo version is affected by CVE-2021–3156 and how to fix it.

You can check your sudo version with sudo -V and confirm whether your sudo version is affected by this vulnerability:

As per https://sysdig.com/blog/cve-2021-3156-sudo-falco/, this vulnerability affects following sudo versions:

• All legacy versions from 1.8.2 to 1.8.31p2
• All stable versions from 1.9.0 to 1.9.5p1

You can also confirm the vulnerability status by running sudoedit -s / command. As per https://sysdig.com/blog/cve-2021-3156-sudo-falco/,based on the response,we can figure out if the host is vulnerable or not:

• Vulnerable if responds an error starting with sudoedit:
• Not Vulnerable or patched if responds an error starting with usage:

I have executed the command on a fresh Ubuntu 18.04 server running on AWS and the output shows that my sudo is vulnerable.

Fix for CentOS: sudo yum update sudo

Fix for Ubuntu: sudo apt-get update && sudo apt-get upgrade sudo

Fix for Amazon Linux: If you launch a new instance with Amazon AMI, it’s already fixed. For older instances sudo yum update sudo should work.

Once you execute these commands, you can verify the status by executing sudoedit -s / again.

Note: You can also download binaries from https://www.sudo.ws/download.html#binary and install it on the server.

For CentOS7: sudo rpm -Uvh https://github.com/sudo-project/sudo/releases/download/SUDO_1_9_5p2/sudo-1.9.5-3.el7.x86_64.rpm

For Ubuntu18: wget https://github.com/sudo-project/sudo/releases/download/SUDO_1_9_5p2/sudo_1.9.5-3_ubu1804_amd64.deb && sudo dpkg -i sudo_1.9.5–3_ubu1804_amd64.deb