Fixing Sudo
A decade-old massive and easy-to-exploit security hole (CVE-2021-3156) has been found in sudo
allowing for full root
access by any unprivileged system user. This is one of those rare security bugs you can’t delay remediating.
Patches have been released for most major current distros. Unfortunately, I still have some CentOS 6 servers that, following the surprise CentOS EOL announcement in December, I repointed to vault.centos.org for patches. Unfortunately, the needed sudo
is not available at the moment.
However, the solution isn’t complicated: just uninstall sudo
and install the precompiled binary from sudo.ws. Here’s what I did:
To confirm that the current sudo
version is impacted, run the command below. If the error message starts with sudoedit:
then, you have a problem.
sudoedit -s / # > sudoedit: /: not a regular file
Go to the developer’s site and download the appropriate compiled version for your distro. The version needs to be 1.9.5p2 (1.9.5-3). For CentOS 6, I got this one.
I suggest you now log into your system as root directly (use console if you must), uninstall your current version of sudo
and install the one you just downloaded. In my case:
yum -y erase sudo yum -y install sudo-1.9.5-3.el8.x86_64.rpm
Now re-run the sudoedit
command, and you should see the error message starting with usage:
. If that is the case – mission accomplished.
sudoedit -s / # > usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] file ...