Sudo bug also found to affect macOS

News
By published

Apple has not patched the vulnerability yet

Hacker Typing
(Image credit: Shutterstock)

A vulnerability found last week that was originally thought to only affect the Linux and BSD operating systems is now believed to impact macOS as well. The security flaw, tracked as CVE-2021-3156, affects Sudo, an app used by administrators to grant root access to other users.

The sudo vulnerability was discovered by researchers at cybersecurity firm Qualys, who detailed how the bug could be used to carry out privilege escalation attacks. By triggering a “heap overflow,” in the app, it becomes possible to change a user’s low-privilege access to that of a root-level user. This is possible either by planting malware on a device or carrying out a brute force attack on a low-privilege sudo account.

Now, British security researcher Matthew Hickey has noted that the most recent version of macOS contains the Sudo app. He discovered that, with a few minor modifications, the CVE-2021-3156 vulnerability was effective on macOS devices.

Patched or not

Hickey’s findings have been independently verified by other security experts but have reportedly not yet been acted upon by Apple itself. Hickey has said that Apple has been informed of the issue but no patch was included in the most recent security update released earlier this week.

Qualys researchers have determined that the sudo vulnerability has been exploitable for more than a decade but attacks are much more likely to occur now the flaw has been publicly disclosed. Fortunately, CVE-2021-3156 has been patched for the operating systems that it was originally discovered to be affecting.

Users can also test if their system is vulnerable to the sudo vulnerability by running the command “sudoedit -s /”. If the system remains vulnerable, it will respond with an error message starting with “sudoedit:” while a patched system will respond with an error that starts with “usage:”.

Via ZDNet

Barclay Ballard
Barclay Ballard

Barclay has been writing about technology for a decade, starting out as a freelancer with ITProPortal covering everything from London’s start-up scene to comparisons of the best cloud storage services.  After that, he spent some time as the managing editor of an online outlet focusing on cloud computing, furthering his interest in virtualization, Big Data, and the Internet of Things. 

Latest in Security
ransomware avast
Ransomware attacks are costing Government offices a month of downtime on average
Lock on Laptop Screen
Data breach at Pennsylvania education union potentially exposes 500,000 victims
Data leak
Top collectibles site leaks personal data of nearly a million users
Spyware
Stalkerware data breach potentially hits over 2 million users, including thousands of Apple devices
An American flag flying outside the US Capitol building against a blue sky
Five Eyes "cannot replace US intel in Ukraine", claims former US Cyber Command Chief
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Criminals are using a virtual hard disk image file to host and distribute dangerous malware
Latest in News
Wonka poster
Netflix cooks up sweet new reality TV series based on Charlie and the Chocolate Factory, and it's a dream come true for me
Citroen 2CV
The retro EV resurgence is in full swing, as Citroen confirms the iconic 2CV will return with batteries
Hugging Snap
This AI app claims it can see what I'm looking at – which it mostly can
Apple iPhone 16 Pro Max REVIEW
The latest batch of leaked iPhone 17 dummy units appear to show where glass meets metal on the new designs
Hornet swings their weapon in mid air
Hollow Knight: Silksong could potentially launch this year and I reckon it could be a great game for an Xbox handheld
ransomware avast
Ransomware attacks are costing Government offices a month of downtime on average
More about security
ransomware avast

Ransomware attacks are costing Government offices a month of downtime on average
Data leak

Top collectibles site leaks personal data of nearly a million users
Agent 47 holding up duel pistols with a PSVR 2 headset outline over his head

I can’t believe it either, Hitman on PSVR 2 is actually, finally a great VR port of the World of Assassination trilogy – and my new favorite way to play the series
See more latest
Most Popular
Wonka poster
Netflix cooks up sweet new reality TV series based on Charlie and the Chocolate Factory, and it's a dream come true for me
Google NotebookLM on a MacBook.
Google’s NotebookLM adds Mind Maps to its string of research tools to help you learn faster than ever
Mark S and Helly R standing by their desks bathed in blue light in Severance's season 2 finale
Severance season 2 episode 10 ending explained: what does Mark do, who dies, will there be a season 3, and more big questions answered
YouTube Premium
Would you pay for better sound on YouTube? The video-sharing platform could soon let you control audio quality, but it'll cost you
Hugging Snap
This AI app claims it can see what I'm looking at – which it mostly can
Citroen 2CV
The retro EV resurgence is in full swing, as Citroen confirms the iconic 2CV will return with batteries
I Hate This Place artwork
Bloober Team is keeping busy as it announces its next survival horror game I Hate This Place and offers a new look at its upcoming title Cronos: The New Dawn
Equal1 Bell-1 quantum computer
This is the first quantum computer you can actually buy (and use, and power): Equal1's Bell-1 uses a standard power socket
Ryzen AI Max+ 395
Obscure Chinese PC vendor gets preferential AMD treatment as Lisa Su signs first desktop PC with Ryzen AI Max+ 395 ahead of May launch
Apple iPhone 16 Pro Max REVIEW
The latest batch of leaked iPhone 17 dummy units appear to show where glass meets metal on the new designs