Security News > 2021 > February > Apple Patches 10-Year-Old macOS SUDO Root Privilege Escalation Bug
Apple has rolled out a fix for a critical sudo vulnerability in macOS Big Sur, Catalina, and Mojave that could allow unauthenticated local users to gain root-level privileges on the system.
Sudo is a common utility built into most Unix and Linux operating systems that lets a user without security privileges access and run a program with the credentials of another user.
Tracked as CVE-2021-3156, the vulnerability first came to light last month after security auditing firm Qualys disclosed the existence of a heap-based buffer overflow, which it said had been "Hiding in plain sight" for almost 10 years.
The vulnerability, which was introduced in the code back in July 2011, impacts sudo versions 1.7.7 through 1.7.10p9, 1.8.2 through 1.8.31p2, and 1.9.0 through 1.9.5p1, following which the maintainers released 1.8.32 and 1.9.5p2 to resolve the issue.
British security researcher Matthew Hickey discovered that the vulnerability also extended to the latest version of macOS Big Sur 11.2, prompting Apple to address the security shortcoming.
Besides the fix for the sudo vulnerability, Tuesday's supplemental security update also includes patches for two flaws in Intel Graphics Driver, which could cause an application to execute arbitrary code with kernel privileges.
News URL
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-01-26 | CVE-2021-3156 | Off-by-one Error vulnerability in multiple products Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character. local low complexity sudo-project fedoraproject debian netapp mcafee synology beyondtrust oracle CWE-193 | 7.8 |