Jamf Blog
February 5, 2021 by Matthias Wollnik

Sudo-escalating on macOS

The CVE-2021-3156 Sudo vulnerability represents a security issue that Mac admins should be aware of. Yes, Macs are affected by this.

Sudo application vulnerability worth Mac Admin attention

In recent days, the Linux world has been busy talking about CVE-2021-3156. This vulnerability in the Sudo application, which is used in Unix systems (and therefore many cloud services) to give a user limited and often temporary access to administrative applications, represents a massive security issue: Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.

Effectively, this means a user that exploits this vulnerability can execute administrative applications without being authorized by the system to do so — putting any data or services running on the device at risk. However, this vulnerability relied on a part of Sudo called Sudoedit. Sudoedit does not ship on recent macOS versions and the community assumed that Macs were unaffected.

This turned out to not be true. Macs are definitely affected by this, including macOS 11.2 Big Sur and even M1 devices. The exploitation of this vulnerability requires marginally more work as researchers pointed out on Twitter.

Effectively, the malicious user simply has to create a symbolic link to /usr/bin/sudo and call it sudoedit. The rest of the exploitation chain remains the same.

It's easy to identify someone exploiting the Sudo vulnerability on a Mac

Luckily, that makes it easy to identify on Macs! Some simple ways to detect a user attempting to exploit this vulnerability on Macs include:

  • The creation of a symbolic link pointing to sudo with the name “sudoedit” in a non-privileged location such as a user’s home folder with a command such as ln -s /usr/bin/sudo ./sudoedit
  • Any process where the executable name is “sudoedit," and the command line contains the required switches to exploit the vulnerability (“\” as well as either “-i” or “-s”)

Since Sudoedit does not exist on any shipping version of macOS; its presence, use, or creation should be a clear indicator that someone is actively working to exploit this vulnerability.

Of course, Jamf Protect will alert on the exploitation of this CVE on Macs.

Apple has released a patch for this issue and we would encourage everyone to deploy it as soon as possible.

Get Mac endpoint protection with Jamf Protect

Browse Blog
by Category:
Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.