Sudo bug also found to affect macOS

News
By published

Apple has not patched the vulnerability yet

Hacker Typing
(Image credit: Shutterstock)

A vulnerability found last week that was originally thought to only affect the Linux and BSD operating systems is now believed to impact macOS as well. The security flaw, tracked as CVE-2021-3156, affects Sudo, an app used by administrators to grant root access to other users.

The sudo vulnerability was discovered by researchers at cybersecurity firm Qualys, who detailed how the bug could be used to carry out privilege escalation attacks. By triggering a “heap overflow,” in the app, it becomes possible to change a user’s low-privilege access to that of a root-level user. This is possible either by planting malware on a device or carrying out a brute force attack on a low-privilege sudo account.

Now, British security researcher Matthew Hickey has noted that the most recent version of macOS contains the Sudo app. He discovered that, with a few minor modifications, the CVE-2021-3156 vulnerability was effective on macOS devices.

Patched or not

Hickey’s findings have been independently verified by other security experts but have reportedly not yet been acted upon by Apple itself. Hickey has said that Apple has been informed of the issue but no patch was included in the most recent security update released earlier this week.

Qualys researchers have determined that the sudo vulnerability has been exploitable for more than a decade but attacks are much more likely to occur now the flaw has been publicly disclosed. Fortunately, CVE-2021-3156 has been patched for the operating systems that it was originally discovered to be affecting.

Users can also test if their system is vulnerable to the sudo vulnerability by running the command “sudoedit -s /”. If the system remains vulnerable, it will respond with an error message starting with “sudoedit:” while a patched system will respond with an error that starts with “usage:”.

Via ZDNet

Barclay Ballard
Barclay Ballard

Barclay has been writing about technology for a decade, starting out as a freelancer with ITProPortal covering everything from London’s start-up scene to comparisons of the best cloud storage services.  After that, he spent some time as the managing editor of an online outlet focusing on cloud computing, furthering his interest in virtualization, Big Data, and the Internet of Things. 

Latest in Security
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Oracle
Oracle denies data breach after hacker claims to hold six million records
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
Latest in News
Tesla Roadster 2
Tesla is still taking deposits on its long overdue Roadster, despite promising it would arrive in 2020
Samsung HW-Q990D soundbar with Halloween theme over the top
Samsung promises to repair soundbars bricked by its disastrous software update for free – but it'll probably involve shipping
Google Gemini AI
Gmail is adding a new Gemini AI tool to help smarten up your work emails
DJI Mavic 3 Pro
More DJI Mavic 4 Pro leaks seemingly reveal launch date, price and key features of the triple camera drone – here's what to expect
Android 16 logo on a phone
Here's how Android 16 will upgrade the screen unlocking process on your Pixel
Man sitting on sofa, drinking coffee, looking at phone in surprise
Thousands of coffee lovers warned to stop using their espresso machines immediately after reports of burns and lacerations
More about security
Oracle

Oracle denies data breach after hacker claims to hold six million records
IBM office logo

IBM to provide platform for flagship cyber skills programme for girls
Surface Laptop 7

Amazon warns customers about the Surface Laptop – and it’s not just bad news for Microsoft
See more latest
Most Popular
Surface Laptop 7
Amazon warns customers about the Surface Laptop – and it’s not just bad news for Microsoft
vector isometric illustration of a handheld gaming console
SteamOS is about to change handheld gaming PCs as HP finally considers ditching Windows 11
Oracle
Oracle denies data breach after hacker claims to hold six million records
Tesla Roadster 2
Tesla is still taking deposits on its long overdue Roadster, despite promising it would arrive in 2020
DJI Mavic 3 Pro
More DJI Mavic 4 Pro leaks seemingly reveal launch date, price and key features of the triple camera drone – here's what to expect
De'Longhi Linea Classic espresso machine on kitchen counter with hot and cold coffee drinks
I'm a qualified barista, and De'Longhi's latest espresso machine could be this year's best budget buy for coffee lovers
Man sitting on sofa, drinking coffee, looking at phone in surprise
Thousands of coffee lovers warned to stop using their espresso machines immediately after reports of burns and lacerations
Samsung HW-Q990D soundbar with Halloween theme over the top
Samsung promises to repair soundbars bricked by its disastrous software update for free – but it'll probably involve shipping
A Minecraft sheep.
Minecraft developer rejects generative AI, 'it's important that it makes us feel happy to create as humans'
Nvidia AMD
Nvidia rumors suggest it's working on two affordable GPUs to spoil AMD's party