A decade-old massive and easy-to-exploit security hole (CVE-2021-3156) has been found in
sudo allowing for full
root access by any unprivileged system user. This is one of those rare security bugs you can’t delay remediating.
Patches have been released for most major current distros. Unfortunately, I still have some CentOS 6 servers that, following the surprise CentOS EOL announcement in December, I repointed to vault.centos.org for patches. Unfortunately, the needed
sudo is not available at the moment.
However, the solution isn’t complicated: just uninstall
sudo and install the precompiled binary from sudo.ws. Here’s what I did:
To confirm that the current
sudo version is impacted, run the command below. If the error message starts with
sudoedit: then, you have a problem.
sudoedit -s / # > sudoedit: /: not a regular file
I suggest you now log into your system as root directly (use console if you must), uninstall your current version of
sudo and install the one you just downloaded. In my case:
yum -y erase sudo yum -y install sudo-1.9.5-3.el8.x86_64.rpm
Now re-run the
sudoedit command, and you should see the error message starting with
usage:. If that is the case – mission accomplished.
sudoedit -s / # > usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] file ...