Sudo bug can give someone using any Mac user account full access to the system

RM1 · January 26, 2021, 8:44pm

A bug has been disclosed in sudo (a part of unix style OS - Including Mac that allows a user to take on elevated privileges over the computer) that could allow any local user to get full access. I know that the old rule is any time there is physical access security is assumed breached, but still…man this seems like a bad one.

Based on the test recommended by the researchers who found the bug the latest Mac OS is vulnerable but a patch for the sudo program has been released so hopefully Apple with roll it into the next update. In the meanwhile I’d be curious if those who know this stuff better have any recommended steps to take — other than keep bad people away from your Mac.

schinder · January 26, 2021, 9:08pm

Since sudo is a command line tool, just keep people away from your Mac, local or remote. Simplest thing to do, if you don’t use sudo, is to open Terminal and use sudo once to turn off the execute bits so no one can use sudo: “sudo chmod 400 /usr/bin/sudo”. sudo itself has some built in security with an “sudoers” file and directory, but I haven’t read the article so I don’t know if the buffer overflow gets around that (sudoers is basically a list of all users on a machine that are allowed to use sudo). But since the security model of later macOS’s has changed, even the super user can’t do a lot of things in macOS, and since people can’t usually log into a Mac from the outside, I’m not sure how much of a problem this actually is. I’m sure Apple will fix it soon, and I don’t intend to take any precautions, since no one outside can get a shell prompt on my Macs anyway.

Shamino · January 26, 2021, 9:08pm

Debian has already back-ported the fix and has published it to their security channel:

It looks, however, like Raspbian (which is built from Debian sources) hasn’t yet updated. I expect it will in a day or so.

jelockwood · February 2, 2021, 2:52pm

Particularly in the Windows world but it could be applied also in the Mac world you could adopt a practise of only logging in as a non-admin i.e. non sudouer level user.

For non-home users you should were possibly issue laptops with user accounts not given admin level accounts. Jamf Connect can help achieve this.

holdeni · February 3, 2021, 9:55pm

Reading the provided info on the vulnerability, the fault is in the ‘sudoedit’ command, not the normally used ‘sudo’ command. That vulnerable command is not critical to managing a ‘sudo’ setup by generally knowledgeable IT people, so making ‘sudoedit’ un-executable or even hidden until patched could be a way to mitigate this exposure’s risk temporarily.

alvarnell · February 4, 2021, 6:43am

Except that there is no sudoedit process or command. The only way to create the vulnerability is to make a sudoedit symlink to sudo and issuing a special sudoedit command to cause a buffer overload crash that can then be exploited. All that along with a way to exploit it would have to be delivered as a malware script of some sort.

Simon · February 9, 2021, 6:42pm

It looks like Apple fixed the sudo bug with the 11.2.1 update they just released.