The Sudo vulnerability also affects macOS, and is not yet patched

macOS Big Sur sudo

Last January 27, just a week ago today, we did echo of a vulnerability in Sudo that affected Linux-based operating systems. That was what we understood, because that was how they explained it, from the official information, where they mentioned Ubuntu, Debian and Fedora as affected systems. They also mentioned that it probably affected other distributions as well, and today we have learned that among the affected operating systems there are also others based on UNIX, such as BSD and the MacOS Apple.

The vulnerability was discovered by Qualys, a company based in California, or more specifically they were those who managed to exploit a vulnerability that had existed for about ten years. Linux users are already protected, but macOS users are still not. This has been confirmed by Matthew Hickey, from Hacker House, ensuring that the sudo vulnerability it also affects the system used by Macs.

More difficult to fix on macOS than on Linux

CVE-2021-3156 also affects Apple's macOS Big Sur (currently unpatched), you can enable exploiting the problem by symbolically linking sudo to sudoedit and then activating heap overflow to scale privileges from one to 1337 uid = 0 . Fun for @ p0sixninja.

From what we can read in the Hickey's Twitter accountit's one of the most devastating bugs in UNIX / Linux historyas it affected Linux and continues to affect macOS, Solaris, and other non-glibc systems. And as for Apple's system, developers can create the patch, but it could still take a while for the company to apply it to its operating system. Affects up to macOS 11.2.

To some developers, like osxreserver, they find it funny that, although they know how to fix it themselves, they can't do it due to private rights, so they will have to wait for Apple to release an update to solve a bug that in Linux has been corrected for a week. And that's one of the positives of using software like the one we use around here.


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.