How to resolve the CVE-2021-3156 vulnerability on Big Sur?

Today, Apple patched the CVE-2021-3156 Sudo security vulnerability for macOS 11 Big Sur as well as 10.15 Catalina AND 10.14 Mohave via Security Update 2021-002.

Apple patches Sudo bug in macOS Big Sur 11.2.1, supplemental updates for Catalina and Mojave

https://9to5mac.com/2021/02/09/apple-patches-sudo-bug-mac/

jonsema wrote:

Hey! Thanks for replying.

I'm not sure about your remarks. I believe this has to do with Mac since MacOS (which runs on all Macs) is shipped with - among other things - a sudo binary. As far as I can tell the version of the sudo binary shipped with MacOS is vulnerable to the linked vulnerability

The issue is then that, with the vulnerable sudo binary, any program on a Mac can get administrative privileges without user consent or prompt. This is a security vulnerability which has been disclosed, announced and fixed per the link I provided in my post.

My concern is that, as far as I can tell, I can't find a way to update the sudo binary on MacOS to a version that is no longer vulnerable, thus I'm looking for support or documentation on a way to update the sudo binary on MacOS, or some reassurance that an update for MacOS is coming that includes a fixed version of the sudo binary.

I'm not running Ubuntu, Debian or Fedora. I'm running MacOS Big Sur (11.1) which comes with sudo 1.8.31. That version is, per the CVE, vulnerable.

Best regards!

Apple uses its Software Update service (which also drives system software updates that show in the App Store or via the softwareupdate command-line tool) as a mechanism for installing “background and critical” updates that are installed silently in the background with no notifications to the user.

You are not going to find detailed information outside the walled garden of Apple.

jonsema wrote:

Today, a serious vulnerability in sudo was announced, where any user on the system can get sudo access without having to know a password: https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit

As far as I can tell, the version of sudo shipped with MacOS Big Sur (11.1) is vulnerable:

~ sudo --version

Sudo version 1.8.31

Sudoers policy plugin version 1.8.31

Sudoers file grammar version 46

Sudoers I/O plugin version 1.8.31

Is there any way to upgrade the sudo version included with MacOS Big Sur, or is there any timeline on when an update to MacOS Big Sur including a patched version of sudo is available? As far as I know, patched versions of sudo that are no longer vulnerable are already available.

Any help would be appreciated! :)

What does this have to with macOS?

Are you having an issue?

Are you running Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2) ?

What is your direct concern / involvement here ?

macOS - Security - Apple https://www.apple.com/macos/security/

Apple Platform Security - Apple https://support.apple.com/guide/security/welcome/web

As of this date, Apple has not responded to CVE-2021-3156. It is indeed present in current versions of macOS, not just Big Sur v11.x. Here is an current article from BleepingComputer about the situation:

Latest macOS Big Sur also has SUDO root privilege escalation flaw

https://www.bleepingcomputer.com/news/security/latest-macos-big-sur-also-has-sudo-root-privilege-escalation-flaw/