Fix Critical Sudo Bug CVE-2021-3156 Error in 4 Simple Steps

Written by

Reviewed by

Last updated: July 24, 2024

Expert verified

SVG Image

TL;DR

To fix the critical sudo bug CVE-2021-3156, you can follow these four steps:

  1. Update the sudo package on your system to the latest version that includes the fix for the Sudo Bug CVE-2021-3156 using the sudo apt-get update && sudo apt-get upgrade command.
  2. Verify that the new version of the sudo package is installed by running the sudo -V command in the Terminal app.
  3. Use the sudo visudo -c to verify the sudoers file on your system is properly configured and does not contain any syntax errors or vulnerabilities.
  4. Disable the sudoedit command entirely to minimize the risk of exploitation further.

Check out our article below to learn how to fix the critical sudo bug CVE-2021-3156 and make your system more secure against potential attacks.

Worried about your system’s security? The sudo bug CVE-2021-3156 is a big deal since it lets attackers get root access without permission. But you can easily fix this error. In this post, I’ll show you how to update your system, apply patches, and verify everything. You’ll also learn best practices to keep your Linux system secure in the future. Let’s get started and make sure your system stays safe.

What is CVE-2021-3156?

CVE stands for Common Vulnerabilities and Exposures. It is a system that gives a unique number to each security flaw in software. This number helps everyone quickly identify and talk about these issues.

CVE-2021-3156, also known as the “Baron Samedit” vulnerability, is a security flaw found in the sudo program. Sudo lets users run commands as another user, often the root user, which has full system control. This bug lets attackers gain root access without proper authorization.

Impact of the Sudo Bug

Here are some potential consequences of exploitation:

  • Unauthorized Privilege Escalation: An attacker can gain root access without permission.
  • Data Breaches: Sensitive information can be accessed or stolen.
  • System Compromise: The entire system can be controlled, modified, or disrupted by the attacker.

Identifying Vulnerable Systems

  1. To see if your system’s sudo version is vulnerable, open a terminal and type:
sudo --version

Check the version number in the output. If it falls between 1.8.2 and 1.9.5p1, your system is vulnerable

checking system vulnerability

Updating to a version above 1.9.5p1 will fix the issue and protect your system from this vulnerability.

How to Fix the Sudo Bug CVE-2021-3156

To fix the sudo bug CVE-2021-3156, start by updating your sudo package to the latest version using your package manager. Verify the update by checking the sudo version. If needed, download and apply the patch from the official sudo website. Finally, check the sudoers file for any syntax errors and disable the sudoedit command to reduce risks.

Here’s a step-by-step guide on how to do it:

1. Update the Sudo Package

The first thing you should do is update the sudo package on your system to the latest version that includes the fix for the Sudo Bug CVE-2021-3156. To do so, follow these steps:

  1. Execute the following commands in the Terminal app:
sudo apt-get update && sudo apt-get upgrade
  1. Wait for the apt packages and libraries to update.
apt packages and libraries to update sudo bug
  1. Once you have updated your system, reboot it by running the following command:
sudo reboot

Note: If you’re using a different Linux distribution, the commands may vary. Check your distribution documentation for more information.

2. Verify the Sudo Version

After updating the sudo package, it’s important to verify that the new version is installed and running on your system. To do this, open the Terminal app and run the following command:

sudo -V

Make sure that the version number matches the latest version available from your distribution’s package manager. 

verify that the new version is installed

If the version is correct, then the update was successful, and your system is now protected against the sudo vulnerability. But if it isn’t that version, you should follow these steps to get the latest version, and apply the sudo bug patch:

  1. Visit the sudo official website to download the patch file, for example, sudo-bug-fix.patch.
  2. Once the patch file is downloaded, extract it to a directory.
tar -xf sudo-bug-fix.patch -C /home/user/patches
  1. Change to the directory where the patch was extracted.
cd /home/user/patches
  1. Run the patch command with sudo to apply the patch.
sudo patch < sudo-bug-fix.patch
  1. Verify the patch is applied by running the sudo command with the -l flag.
sudo -l
  1. If the patch was applied successfully, you should not see any error messages, and the output should show that you have permission to run any command with sudo.
permission to run any command with sudo

3. Verify the Sudoers File

Next, you should verify that the sudoers file on your system is properly configured and does not contain any syntax errors or vulnerabilities. Here’s how you can do this:

  1. Launch the Terminal window and run the following command to edit the sudoers file:
sudo visudo
  1. This will open the sudoers file in the default text editor (which is usually Vim).
open sudoers file in vim text editor
  1. Verify that the file contains the correct entries for your system. Any modifications to this file should be done with great care, as incorrect modifications can lead to security issues.
  1. Once you are done editing the file, save it with Ctrl + O and exit the editor with Ctrl + X.
  1. Alternatively, you can run the following command to verify the syntax of the sudoers file:
sudo visudo -c
  1. This command will check the sudoers file for syntax errors and report any issues it finds. If the file is clean, the command will return without any errors.
check sudoers file for syntax errors

4. Disable Sudoedit

To further minimize the risk of exploitation is to disable the sudoedit command entirely. To do this, you can add a line to the sudoers file by following these steps:

  1. Open the sudoers file for editing:
sudo visudo
  1. Scroll to the bottom of the file and add the following line:
Cmnd_Alias SUDOEDIT = /usr/bin/sudoedit Defaults!SUDOEDIT !log_output

It creates a command alias called SUDOEDIT that includes the /usr/bin/sudoedit command and specifies that the log_output option is disabled for the SUDOEDIT command. Additionally, it uses the Defaults keyword to set the option for all users in the sudoers file.

  1. Press Ctrl + O to save and Ctrl + X to exit the file.
add a line to the sudoers file

Note: Modifying the sudoers file requires root access, so you may need to use the su command or sudo before the visudo command. After adding this line to the sudoers file, the sudoedit command will be disabled for all users on the system.

5 Best Practices to Prevent Future Vulnerabilities

Preventing future vulnerabilities is crucial for protecting your Linux system from potential attacks. Here are some best practices for securing your system and reducing the risks of similar vulnerabilities.

  • 🔒 Keep your system up-to-date with the latest security patches: Regularly updating your software and operating system is critical for protecting against known vulnerabilities. Ensure that you keep your system up-to-date to reduce the risk of future vulnerabilities. Use the sudo apt-get update && sudo apt-get upgrade Linux command to update your system.
  • 🛡️ Implement security measures: Security measures like firewalls, intrusion detection systems, and encryption protocols can help prevent attacks, reduce their impacts, and protect your sensitive data in case of a breach. To enable the firewall, use the sudo ufw enable command in the Terminal app.
  • 👨‍🏫 Train yourself on good security practices: Educating yourself on good security practices is essential in preventing future vulnerabilities. You’ll be able to identify suspicious emails and websites, use strong passwords, and limit access to sensitive data. You can also use tools, like lynis, to perform security audits and identify potential vulnerabilities.
  • 🐧 Use a security-focused Linux distribution: Consider using a security-focused Linux distribution specifically designed to protect against known vulnerabilities. Some popular security-focused Linux distributions are Kali Linux, Tails, and Parrot Security. These distributions often have built-in security features and are regularly updated with the latest security patches.
  • 🚨 Have a plan for responding to security incidents: Even with the best security measures in place, incidents can still occur. Having a plan for responding to security incidents can help minimize damage and prevent future vulnerabilities. Ensure that you have a response plan in place and that your team is trained to execute it effectively.

Key Takeaways

To fix the sudo bug CVE-2021-3156, update your sudo package to the latest version and verify the update. If needed, manually apply the patch and check the sudoers file for errors. Disable the sudoedit command to reduce risks. Keep your system updated, use strong security measures, follow good security practices, and have a response plan to prevent future vulnerabilities.

If this was helpful, you might want to read about:

Frequently Asked Questions

How can I check if my system is affected by the sudo bug vulnerability?

to check if your system is affected by the sudo bug vulnerability, you can run the following command in the Terminal:
sudo sudoedit -s /
If your system is vulnerable, you should see an error message that says sudo: /usr/bin/sudoedit must be owned by uid 0 and have the setuid bit set. This means that any user can exploit the vulnerability and run commands with elevated privileges. But if your system is not vulnerable, the command will not return an error message, and you will be able to use sudo normally.

Can the sudo bug be exploited remotely?

The sudo bug can be exploited remotely under certain circumstances. For example, if the affected system is connected to the internet and has not been properly secured, an attacker may exploit the bug to gain privileged access to the system. It is essential to follow best practices for securing your systems, including regularly updating software, implementing strong passwords and access controls, and monitoring unusual activity.

What should I do if I am unable to update sudo using the package manager?

If you are unable to update sudo using the package manager, there are a few steps you can take to resolve the issue:
1. Update the package manager using sudo apt-get update and sudo apt-get upgrade.
2. Make sure you have the correct package name for sudo.
3. Check for any other package holding sudo as a dependency.
4. Try updating sudo using the command line with sudo apt-get install sudo.
5. If all else fails, consider installing sudo from the source code from its official website.

Can I continue to use my system if I am unable to update sudo immediately?

It is not recommended to continue using your system if you are unable to update sudo immediately. The CVE-2021-3156 sudo vulnerability is critical and can lead to a system compromise, making it essential to update sudo as soon as possible. Continuing to use your system without updating sudo can leave your system vulnerable to attacks, potentially leading to data theft, unauthorized access, and other security breaches. So, it is crucial to prioritize updating sudo and implementing other security measures to ensure your system’s safety.

Will updating sudo affect my system’s performance?

Updating sudo is unlikely to have a significant impact on your system’s performance. However, it is always a good idea to monitor your system after any updates to ensure that everything is functioning correctly. Regularly updating your system and its applications is essential for maintaining security and improving overall system performance.

Can I continue using the sudo command after fixing the bug?

Yes, you can continue using the sudo command after fixing the bug. However, it is important to keep your system updated with the latest security patches and to follow best practices for securing your systems to prevent exploitation of the sudo bug and other vulnerabilities. Moreover, it is also important to monitor your system after any updates to ensure that everything is functioning correctly.

Ojash

Author

Ojash is a skilled Linux expert and tech writer with over a decade of experience. He has extensive knowledge of Linux's file system, command-line interface, and software installations. Ojash is also an expert in shell scripting and automation, with experience in Bash, Python, and Perl. He has published numerous articles on Linux in various online publications, making him a valuable resource for both seasoned Linux users and beginners. Ojash is also an active member of the Linux community and participates in Linux forums.

Akshat

Reviewer

Akshat is a software engineer, product designer and the co-founder of Scrutify. He's an experienced Linux professional and the senior editor of this blog. He is also an open-source contributor to many projects on Github and has written several technical guides on Linux. Apart from that, he’s also actively sharing his ideas and tutorials on Medium and Attirer. As the editor of this blog, Akshat brings his wealth of knowledge and experience to provide readers with valuable insights and advice on a wide range of Linux-related topics.

Share this article
Shareable URL
Prev Post

How to Use the help Command in Linux [3 Simple Ways]

Next Post

Best 5 Ways to Fix “ifconfig: command not found” Error on Debian

Leave a Reply

Your email address will not be published. Required fields are marked *

Read next