Security News > 2021 > February > Apple Patches 10-Year-Old macOS SUDO Root Privilege Escalation Bug

Apple Patches 10-Year-Old macOS SUDO Root Privilege Escalation Bug
2021-02-10 04:57

Apple has rolled out a fix for a critical sudo vulnerability in macOS Big Sur, Catalina, and Mojave that could allow unauthenticated local users to gain root-level privileges on the system.

Sudo is a common utility built into most Unix and Linux operating systems that lets a user without security privileges access and run a program with the credentials of another user.

Tracked as CVE-2021-3156, the vulnerability first came to light last month after security auditing firm Qualys disclosed the existence of a heap-based buffer overflow, which it said had been "Hiding in plain sight" for almost 10 years.

The vulnerability, which was introduced in the code back in July 2011, impacts sudo versions 1.7.7 through 1.7.10p9, 1.8.2 through 1.8.31p2, and 1.9.0 through 1.9.5p1, following which the maintainers released 1.8.32 and 1.9.5p2 to resolve the issue.

British security researcher Matthew Hickey discovered that the vulnerability also extended to the latest version of macOS Big Sur 11.2, prompting Apple to address the security shortcoming.

Besides the fix for the sudo vulnerability, Tuesday's supplemental security update also includes patches for two flaws in Intel Graphics Driver, which could cause an application to execute arbitrary code with kernel privileges.


News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/PCUlk8WHpbM/apple-patches-10-year-old-macos-sudo.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-01-26 CVE-2021-3156 Off-by-one Error vulnerability in multiple products
Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.
7.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Apple 68 212 1433 2208 257 4110