AIX Open Source

 View Only
Expand all | Collapse all

CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

  • 1.  CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Tue January 26, 2021 05:01 PM
    Hi,

    What are the plans to update sudo in the AIX yum repository for this vulnerability?

    According to the info here and the test, the AIX version is vulnerable: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit) | Qualys Security Blog

    > rpm -qa|grep sudo
    sudo-1.8.31p1-2.ppc

    And this test indicates vulnerability:
    > sudoedit -s /
    sudoedit: /: not a regular file

    If "usage:" instead of "sudoedit:" is returned, sudo is not vulnerable.

    This vulnerability is relatively serious, as any local non-privileged account can gain root access, even those not in the sudoers config.

    ------------------------------
    Morten Torstensen
    ------------------------------


  • 2.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Wed January 27, 2021 04:16 AM
    We need the version 1.9.5p2 and for our clients in „noldap" version...
    THX

    ------------------------------
    MARTIN CERNICKY
    ------------------------------



  • 3.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Wed January 27, 2021 09:44 AM
    I think when you say noldap you mean ids version of sudo.
    Yes we are going to provide both sudo and sudo_ids for 1.9.5p2.

    ------------------------------
    SANKET RATHI
    ------------------------------



  • 4.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Wed January 27, 2021 10:21 AM
    That's great !! Do you have any timelines to release the new package

    ------------------------------
    Ramesh N
    ------------------------------



  • 5.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Tue February 09, 2021 03:46 AM
    Hi,

    Regarding the vulnerability affecting Sudo, We are using these impacted version :

    1.7.2p6-1
    1.8.15-1noldap

    These versions of Sudo are in differnent OS  :
    AIX 7.2.0.0,
    Red Hat ES 7.6,
    SUSE ES 12,

    Could you help how to Patch or Upgrade these versions of Sudo?
    ​Thanks,
    Regards,

    ------------------------------
    Me Unix
    ------------------------------



  • 6.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Tue February 09, 2021 10:10 AM
    You can upgrade sudo for AIX from AIX toolbox. 
    I am not sure from where did you install previous version of sudo on AIX and it is in what format. 
    If it is rpm then you should be able to update from AIX toolbox.
    There is noldap version of sudo 1.9.5.p2 also available. There will be other dependencies those needs to be installed. 
    sudo_noldap-1.9.5p2-1.aix6.1.ppc.rpm

    ------------------------------
    SANKET RATHI
    ------------------------------



  • 7.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Wed January 27, 2021 09:40 AM
    And may be provide any workaround that can be made to prevent exploitation, such as RedHat's systemtap script in the meantime.

    ------------------------------
    Carlos García B.
    ------------------------------



  • 8.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Wed January 27, 2021 10:36 AM
    The POC page at https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit says they had to use sudoedit. Would renaming or chmod 000 sudoedit safeguard the system against the vulnerability until the new version can be deployed?

    ------------------------------
    Russell Adams
    ------------------------------



  • 9.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Wed January 27, 2021 04:38 PM
    No, because sudoedit is a symlink to sudo. Anyone can create a symlink to sudo named sudoedit and exploit this vulnerability.

    ------------------------------
    Dennis Mathews
    ------------------------------



  • 10.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Wed January 27, 2021 07:43 PM
    Yes, it's unfortunate that it's a symlink. Perhaps it's time to re-evaluate SSH across users on the same host instead of using sudo.

    ------------------------------
    Russell Adams
    ------------------------------



  • 11.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Thu January 28, 2021 08:58 AM
    It appears that the sudo site publishes up to date sudo binaries for AIX: https://www.sudo.ws/download.html#binary

    You can download 1.9.5p3 there, which should have the fix because the vulnerability was in 1.9.0 through 1.9.5p1.

    Feedback on IRC says it installs successfully. Credit to the original poster there for the link.

    ------------------------------
    Russell Adams
    ------------------------------



  • 12.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Wed January 27, 2021 04:31 PM
    System tracing functionality similar to systemtap is available with probevue, so theoretically a workaround may be possible.

    ------------------------------
    Dennis Mathews
    ------------------------------



  • 13.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Wed January 27, 2021 04:34 PM
    Dynamic tracing similar to Systemtap is available via Probevue, so technically a temporary workaround may be possible with a vue script.

    ------------------------------
    Dennis Mathews
    ------------------------------



  • 14.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Wed January 27, 2021 09:40 AM
    Hi,

    Let us know if anyone have the solution for this to make the system secured from this vulnerability.

    Is there any security fixes for the lower version to apply?

    Should we need to upgrade the sudo version to 1.9.5 ?

    -Kafil

    ------------------------------
    Mohammed Kafiluzaman P
    ------------------------------



  • 15.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Wed January 27, 2021 09:41 AM
    Hi Morten,

    Thank for bringing this issue in discussion.
    Yes we are going to publish fixed version of sudo in yum repo.

    ------------------------------
    SANKET RATHI
    ------------------------------



  • 16.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Wed January 27, 2021 10:14 AM
    Hi,

    I suppose for sudo_ids also?

    Emiel

    ------------------------------
    Emiel van ter Beek
    ------------------------------



  • 17.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Wed January 27, 2021 10:15 AM
    Yes

    ------------------------------
    SANKET RATHI
    ------------------------------



  • 18.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Wed January 27, 2021 04:20 PM
    Thanks!

    Do you have an estimated date? Days, weeks, months? Just to indicate something for our planning.

    ------------------------------
    Morten Torstensen
    TietoEVRY
    ------------------------------



  • 19.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Thu January 28, 2021 08:16 AM
    We are actively working. Hopefully by next week we will be able to publish the fixed version of sudo.

    ------------------------------
    SANKET RATHI
    ------------------------------



  • 20.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Fri January 29, 2021 06:28 AM
    Hi,
    if the command "sudoedit -s /"  answers asking password  (sudo 1.8.8 and 1.8.15),  do you think those versions ares still affected by  the vulnerability?
    Thanks

    ------------------------------
    attilio poleggi
    ------------------------------



  • 21.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Mon February 01, 2021 03:27 AM
    Our sudo version on AIX is sudo-1.6.9p23-2noldap
    We don't have sudoedit command in our system,
    so we've tried to test if our system is vulnerable by using the following command: sudo -e '\' `perl -e 'print "A" x 6'`
    the returning message is "Sorry, user (username) is not allowed to execute 'sudoedit \ AAAAAA' as root on (hostname)."

    Does this means our system is not vulnerable to this CVE??
    Thanks.

    ------------------------------
    Jonah Wu
    ------------------------------

    ------------------------------
    Jonah Wu
    ------------------------------



  • 22.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Mon February 01, 2021 04:27 AM

    https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit

    "It was introduced in July 2011 (commit 8255ed69) and affects all legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 in their default configuration."



    ------------------------------
    Ayappan P
    ------------------------------



  • 23.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    IBM Champion
    Posted Thu January 28, 2021 07:49 AM
    Quick and dirty "help yourself" guide. Req'd time - 15-30 min.

    1. Download and install the source code of the latest sudo package:

    # wget http://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/SRPMS/sudo/sudo-1.8.31p1-2.src.rpm
    ​# rpm -ivh sudo\-1.8.31p1\-2.src.rpm​​​​

    2. Download the latest sudo tarball and AIX patch to it:

    # cd /opt/freeware/src/packages/SOURCES
    # wget https://www.sudo.ws/dist/sudo-1.9.5p2.tar.gz
    # wget https://dl.power-devops.com/sudo-1.9.5p2-exppasswd2-aix.patch

    3. Amend the spec-file for sudo

    # cd /opt/freeware/src/packages/SPECS
    # mv sudo-1.8.31p1-2.spec sudo.spec
    # vi sudo.spec

    Line 9:

    Version: 1.9.5p2

    Line 10:

    Release: 1

    Line 272. Add changelog entry something like:

    * Thu Jan 28 2021 andrey.klyachkin <andrey.klyachkin@enfence.com> - 1.9.5p2
    - bump

    4. Compile it:

    # rpmbuild -ba sudo.spec

    If it says something like:

    error: Failed build dependencies:
    openldap-devel >= 2.4.48-1 is needed by sudo-1.9.5p2-1.ppc

    Install the missing dependencies, e.g.:

    # yum -y install openldap-devel

    5. The result is in /opt/freeware/src/packages/RPMS/ppc:

    -rw-r--r-- 1 root system 5419802 Jan 28 01:41PM sudo-1.9.5p2-1.aix7.2.ppc.rpm
    ​​​​​​​​

    I hope it can help waiting till IBM releases the package :-)

    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------



  • 24.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Thu January 28, 2021 08:16 AM
    Thank you Andrey !!! 

    ------------------------------
    SANKET RATHI
    ------------------------------



  • 25.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Thu January 28, 2021 12:13 PM

    Sudo 1.9.5p2 is now available in AIX Toolbox.

    sudo --> https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/sudo/sudo-1.9.5p2-1.aix6.1.ppc.rpm

    sudo_ids  --> https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/sudo/sudo_ids-1.9.5p2-1.aix6.1.ppc.rpm



    ------------------------------
    Ayappan P
    ------------------------------



  • 26.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Thu January 28, 2021 03:01 PM
    Tested. Works great! Thank you!!

    ------------------------------
    Dennis Mathews
    ------------------------------



  • 27.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Thu January 28, 2021 05:16 PM
    This is great news! Thanks for the hard work!  

    Do you know why this is not yet showing up in yum update?

    ------------------------------
    Michael Spurlock
    ------------------------------



  • 28.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Thu January 28, 2021 05:16 PM
    Never mind. I just needed to run 'yum clean all' first.  Available as expected.

    ------------------------------
    Michael Spurlock
    ------------------------------



  • 29.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Fri January 29, 2021 04:01 AM
    We have few older systems as well.

    So, i just want to know if it is compatible for AIX5.3 and 6.1.

    ------------------------------
    Mohammed Kafiluzaman P
    ------------------------------



  • 30.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Fri January 29, 2021 04:16 AM
    The packages are built for AIX 6.1 so they will work for AIX 6.1, 7.1 and 7.2
    These packages are not compatible with AIX 5.3.

    ------------------------------
    SANKET RATHI
    ------------------------------



  • 31.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Mon February 01, 2021 07:30 AM
    Hi,
    we are using the new sudo_ids-1.9.5p2-1.aix6.1.ppc.rpm package and it works fine for AIX 7.1 and AIX 7.2.
    But for AIX 6.1 it doesn't work; it just says: Sorry, user xxxxxxxx may not run sudo on ?serverxy.
    Turning on debugging shows zero output like there is no communication to the LDAP server at all.
    Does anybody have the same issue ?

    Ralph

    ------------------------------
    Ralph Meier
    ------------------------------



  • 32.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Fri February 05, 2021 09:19 AM
    Is your ldap on AIX 6.1 is working correctly ? It could be problem with ldap but not with sudo. 
    Before updating sudo_ids 1.9.5 was there previous version of sudo_ids installed ? and was it working correctly ?

    ------------------------------
    SANKET RATHI
    ------------------------------



  • 33.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Wed February 03, 2021 01:36 AM
    Edited by Mohammed Kafiluzaman P Wed February 03, 2021 01:41 AM
    Hello,

    Anyone have a solution for AIX5.3 servers ?

    All the legacy servers in my account is running with vulnerable SUDO version 1.8.14p3.

    And when i run sudoedit -s / from normal user, it is asking for password.

    Does it mean it is not vulnerable?

    ------------------------------
    Mohammed Kafiluzaman P
    ------------------------------



  • 34.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Wed February 03, 2021 10:15 PM
    Hello Patrick Hügli,

    Thank you for feedback.

    Based on the the Sudo 1.9.5p2 is now available in AIX Toolbox. There are 2 packages.
    1. sudo --> https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/sudo/sudo-1.9.5p2-1.aix6.1.ppc.rpm
    Package file name: sudo-1.9.5p2-1.aix6.1.ppc.rpm

    2. sudo_ids --> https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/sudo/sudo_ids-1.9.5p2-1.aix6.1.ppc.rpm
    Package file name: sudo_ids-1.9.5p2-1.aix6.1.ppc.rpm

    And then I've ran the rpm command to verify an RPM dependencies without having to install it.
    # rpm -qpR ./sudo-1.9.5p2-1.aix6.1.ppc.rpm
    /bin/sh
    config(sudo) = 1.9.5p2-1
    gettext >= 0.19.8.1
    libc.a(shr.o)
    libc.a(shr_64.o)
    libintl.a(libintl.so.8)
    liblber.a(liblber-2.4.so.2)
    libldap.a(libldap-2.4.so.2)
    libpam.a(shr.o)
    libpam.a(shr_64.o)
    libpthread.a(shr_xpg5.o)
    libpthread.a(shr_xpg5_64.o)
    librtl.a(shr.o)
    libs.a(shr.o)
    libs.a(shr_64.o)
    libsudo_util.so
    libz.a(libz.so.1)
    openldap >= 2.4.48-1
    rpmlib(CompressedFileNames) <= 3.0.4-1
    rpmlib(PayloadFilesHavePrefix) <= 4.0-1
    zlib >= 1.2.11-1

    # rpm -qpR ./sudo_ids-1.9.5p2-1.aix6.1.ppc.rpm
    /bin/sh
    /bin/sh
    config(sudo_ids) = 1.9.5p2-1
    gettext >= 0.19.8.1
    libc.a(shr.o)
    libc.a(shr_64.o)
    libibmldap.a
    libintl.a(libintl.so.8)
    libpam.a(shr.o)
    libpam.a(shr_64.o)
    libpthread.a(shr_xpg5.o)
    libpthread.a(shr_xpg5_64.o)
    librtl.a(shr.o)
    libs.a(shr.o)
    libs.a(shr_64.o)
    libsudo_util.so
    libz.a(libz.so.1)
    rpmlib(CompressedFileNames) <= 3.0.4-1
    rpmlib(PayloadFilesHavePrefix) <= 4.0-1
    zlib >= 1.2.11
    #


    Could you please help me to answer or provide detail with following our customer requires for each option below which are relevant to the method and the addition package/softwaer required to install sudo 1.9.5p2 on AIX 7.x

    Option 1: There many AIX 7.x which are running with ldap.
    I mean, there were installed the EOS of LDAP on /opt/IBM/ldap/V6.2 and requires to set LIBPATH.
       My ideas, For those AIX should be do are:
          1.1 Install sudo 1.9.5p2 (sudo_ids-1.9.5p2-1.aix6.1.ppc.rpm)
          1.2 Upgrade the EOS to latest version SDS/TDS LDAP client by reference your URL provided.
    https://www.ibm.com/support/pages/how-use-latest-version-sdstds-ldap-client-libraries-secldapclntd-aix
          1.3 Set the LIBPATH to /opt/IBM/ldap/V6.X/lib64:/opt/IBM/ldap/V6.X/lib

    Am i understand correct? Please let me know if my mistake.


    Option 2: There many AIX 7.x which are running without ldap.
    I mean, there not installed the EOS /opt/IBM/ldap/V6.2 and not requires to set LIBPATH env.
    How to install sudo 1.9.5p2 on these server without install latest version SDS/TDS LDAP client and no needs to set LIBPATH env?


    Or Both of Sudo 1.9.5p2 is now available in AIX Toolbox were required the SDS/TDS LDAP client and needs to set LIBPATH env.

    Best regards,
    Charin Kumjudpai.

    ------------------------------
    CHARIN KUMJUDPAI
    ------------------------------



  • 35.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Thu February 04, 2021 12:38 AM
    As discussed earlier, sudo-1.9.5p2 depends on openldap library and sudo_ids-1.9.5p2 depends on IBM ldap library.

    sudo_ids is built in such a way that it can work with any IBM ldap versions (6.2, 6.3 , 6.4., etc). All you have to do is run  "opt/IBM/ldap/V${version}/bin/idslink -g -f" to create symbolic links for the libraries to /usr/lib. 

    For sudo , you need to make sure openldap rpm is installed.

    There is no need set LIBPATH for any Toolbox packages. Setting it adversely affects the packages. 
    If any third party applications requires it, then one has to set it in such a way that it affects only that application. 
    Simply exporting LIBPATH (thus making it system wide) is a very bad idea.

    ------------------------------
    Ayappan P
    ------------------------------



  • 36.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Thu February 04, 2021 08:06 PM
    Depending on ldap is a problem. Most of our systems use Oracle ldap module.
    Any change there could be a sudo 1.9.5p2 version which does not depend on ldap at all?

    ------------------------------
    State_of_Nevada Unix_Group
    ------------------------------



  • 37.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Fri February 05, 2021 05:16 AM
    Hello Community,

    Me again, according to the CVE-2021-3156 was high severity vulnerability and our customer is banking industry.
    They have much concern about the vulnerability on AIX/VIOS server by Security team would like to make sure the new sudo-1.9.5p2 in AIX Toolbox are able fixed it.

    First of all, We understood about the sudo is open source product and out of IBM support scope but when IBM local/ IBMBP or customer try to fix/install and getting errors/issue/requires rpm packages dependencies we can't request assistant support from IBM (OS) but should find detail in community channel only.

    For alternative way to support case. (Welcome for any ideas else).
    1. Is it possible to contact/escalate issue to AIX/VIOS development team to create/generate the sudo packages for installation on AIX/VIOS instead of use rpm command and requires more dependency rpm packages and also not easy to install?

    2. Could anyone please help or let me know about when or the estimate time for AIX/VIOS are could be able to provide or relese the efix/apar/emgr fix for this CVE case?
     
    Best regards,
    Charin Kumjudpai.

    ------------------------------
    CHARIN KUMJUDPAI
    ------------------------------



  • 38.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Fri February 05, 2021 06:05 AM
    Hello all,

    I created my own sudo installp (.bff) package, without (open)ldap, pam, gettext, rpm. It has been already deployed and no problems occurred. I don't want any legal troubles, so I'm not sure if I am allowed to make it public available.

    best regards

    ------------------------------
    Plamen Tanovski
    ------------------------------



  • 39.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Fri February 05, 2021 06:06 AM
    We are planning to provide sudo without ldap capability named "sudo_noldap" in AIX Toolbox ASAP. 
    sudo community itself provides sudo binaries for AIX in rpm as well bff format --> https://www.sudo.ws/download.html

    ------------------------------
    Ayappan P
    ------------------------------



  • 40.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Sun February 07, 2021 05:59 AM
    Hi Ayappan, is there an estimate on when we can get nolodap version in toolbox? any information would be useful. Thanks.

    ------------------------------
    Dhileeban Sridharan
    ------------------------------



  • 41.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Mon February 08, 2021 07:33 PM
    as per latest CVE-2021-3156 we trying to upgrade the sudo version sudo-1.9.5p2-1.aix6.1.ppc.rpm on AIX 6.1. we are getting many dependent's which was not with previous version. Please let us know exact rpm's or libraries required for this version.
    >rpm -Uvh sudo-1.9.5p2-1.aix6.1.ppc.rpm
    error: failed dependencies: gettext >= 0.19.8.1 is needed by sudo-1.9.5p2-1
    libintl.a(libintl.so.8) is needed by sudo-1.9.5p2-1
    liblber.a(liblber-2.4.so.2) is needed by sudo-1.9.5p2-1
    libldap.a(libldap-2.4.so.2) is needed by sudo-1.9.5p2-1
    openldap >= 2.4.48-1 is needed by sudo-1.9.5p2-1

    rpm -Uvh openldap-2.4.48-1.aix6.1.ppc.rpm
    error: failed dependencies: libcrypto.a(libcrypto.so.1.0.2) is needed by openldap-2.4.48-1
    libssl.a(libssl.so.1.0.2) is needed by openldap-2.4.48-1

    Thanks

    ------------------------------
    Mass Mutual
    ------------------------------



  • 42.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    IBM Champion
    Posted Fri February 05, 2021 06:18 AM
    It might not be the answer you want to read here, but if you want commercial support for sudo, you can buy it from the company where Todd Miller (developer of sudo) works - OneIdentity. I don't exactly remember the name of the product, but something like "Privilege Manager for UNIX".

    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------



  • 43.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Fri February 05, 2021 09:27 AM
    Excellent point. IBM clearly states that all RPMs of OSS they provide in the toolbox are unsupported. This is a great example of why you shouldn't depend on unsupported tools. IBM is being very helpful trying to release updates in a timely manner when they are not obligated to. If it's that important please buy it from the vendor that does offer support and wrote the software.

    In a past job we paid the authors of LPRng for a support contract in a print heavy medical environment using AIX and Linux. It functioned great, we got our money's worth, and supported their development efforts.

    If you don't want to purchase support, perhaps you should consider replacing sudo with SSH and localhost bound keys. SSH is supported with AIX.

    ------------------------------
    Russell Adams
    ------------------------------



  • 44.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Fri February 05, 2021 09:27 AM
    As we have seen many request for noldap support on sudo. 
    We are looking at possibility of providing sudo package with noldap support also.
    But it will be only discounting ldap dependency other dependencies (eg gettext) will still be there.

    ------------------------------
    SANKET RATHI
    ------------------------------



  • 45.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Fri February 05, 2021 06:19 PM
    Thank You, very much looking forward to it, managed to resolve most of the deps, struck with ldap one, sudo with noldap would be of so much help.

    ------------------------------
    Dhileeban Sridharan
    ------------------------------



  • 46.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Mon February 08, 2021 08:35 AM
    ​Depending on LDAP is a problem for us as well.  We do not use ldap for any purpose.  I personally don't see the need to install and maintain software that is never going  to be used.

    ------------------------------
    Bruce Landrum
    ------------------------------



  • 47.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Mon February 08, 2021 10:46 AM
    Hey Bruce! Hope you're well!

    I don't like installing LDAP when it isn't needed either.

    Does anyone know if the RPMs from the main sudo site have the LDAP dependency?

    ------------------------------
    Russell Adams
    ------------------------------



  • 48.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Mon February 08, 2021 10:58 AM

    Like most open source software, it has a flag during configuration for enabling ldap before compilation.

     

    Bruce Landrum

    UNIX/TSM/Storage System Administrator

    STPNOC | belandrum@stpegs.com

    Phone (361) 972-8309

    PO Box 289 | Wadsworth, TX 77483

     






  • 49.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Tue February 09, 2021 08:55 AM
    For future reference, the AIX RPMs from the official sudo site have minimal dependencies and do not require LDAP.

    https://www.sudo.ws/download.html#binary

    % rpm -qpR ./sudo-1.9.5-3.aix72.rpm
    /bin/sh
    /bin/sh
    /bin/sh
    config(sudo) = 1.9.5-3
    libc.a(shr.o)
    libpam.a(shr.o)
    libperfstat.a(shr.o)
    libpthread.a(shr_xpg5.o)
    librtl.a(shr.o)
    libs.a(shr.o)
    libsudo_util.so
    libsudo_z.so
    rpmlib(CompressedFileNames) <= 3.0.4-1
    rpmlib(PayloadFilesHavePrefix) <= 4.0-1


    ------------------------------
    Russell Adams
    ------------------------------



  • 50.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Fri February 05, 2021 09:21 AM
    It is surprise that AIX 5.3 is still in use. For AIX 5,3 you may want to build your custom sudo manually on a AIX 5.3 server.

    ------------------------------
    SANKET RATHI
    ------------------------------



  • 51.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Fri February 05, 2021 09:23 AM
    AIx 5.3 is out of service for long time. For AIX 5.3 you may have to build sudo manually from source code on AIX 5.3 system.

    ------------------------------
    SANKET RATHI
    ------------------------------



  • 52.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Tue February 09, 2021 01:12 AM
    Hi Sanket,

    What about AIX servers running with AIX 5.2 and AIX 5.3 as a WPAR.
    Please share how to build sudo manually from source code on AIX 5.3 and 5.2 system.

    Thank you.


    ------------------------------
    NOR ARLINA ABDUL RAHMAN
    ------------------------------



  • 53.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Tue February 09, 2021 09:12 AM
    Hi Nor,
    Hope you have found the information in this thread only. 
    People have posted information how can you build sudo with xlc. 

    CC=xlc ./configure --disable-sasl   --disable-openssl --disable-nls  --disable-log-server --without-ldap --without-pam --with-aixauth --prefix=/usr  --with-logging=syslog​


    ------------------------------
    SANKET RATHI
    ------------------------------



  • 54.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Fri January 29, 2021 04:03 AM
    Hi,

    thanks for the quick work!

    However, our client has the problem with the package dependencies:
    sudo_ids-1.9.5p2-1.aix6.1.ppc.rpm - this package requires IBM LDAP has been installed
    sudo-1.9.5p2-1.aix6.1.ppc.rpm - this package reguires openldap package has been installed, which leads to many other packages installation... 

    So we need the „noldap" package as sudo-1.8.15-1noldap.ppc !

    The AIX packages on https://www.sudo.ws/download.html are not these requirements...
    Thank you very much!

    ------------------------------
    MARTIN CERNICKY
    ------------------------------



  • 55.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Fri January 29, 2021 04:21 AM
    For long time we are providing sudo with ldap support. As the CVEs were reported against AIX toolbox sudo we have fixed and published. 
    We are not planning sudo with noldap as of now. Our recommendation to use yum to resolve dependencies. 
    From where did your client get the sudo version they are currently running ?

    ------------------------------
    SANKET RATHI
    ------------------------------



  • 56.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Fri January 29, 2021 04:28 AM
    The client uses sudo-1.8.15-1noldap.ppc from AIX Linux Toolbox now.

    And, for the security reasons, he wants to minimalize numbers of RPM/OpenSource packages... More packages -> more potencial holes and vulnerabilities...


    ------------------------------
    MARTIN CERNICKY
    ------------------------------



  • 57.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Fri January 29, 2021 06:35 AM
    I compiled sudo with
    CC=xlc ./configure --disable-sasl   --disable-openssl --disable-nls  --disable-log-server --without-ldap --without-pam --with-aixauth --prefix=/usr  --with-logging=syslog
    # ldd /usr/bin/sudo 
    /usr/bin/sudo needs:
             /usr/libexec/sudo/libsudo_util.so
             /usr/lib/libpthread.a(shr_xpg5.o)
             /usr/lib/libc.a(shr.o)
             /usr/lib/librtl.a(shr.o)
             /unix
             /usr/lib/libpthreads.a(shr_comm.o)
             /usr/lib/libcrypt.a(shr.o)
    $ sudoedit -s '\' $(perl -e 'print "A" x 65536')
    usage: sudoedit [-AknS] [-C num] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T
                    timeout] [-u user] file ...
    $ sudo --version                                      
    Sudo version 1.9.5p2
    Sudoers policy plugin version 1.9.5p2
    Sudoers file grammar version 48
    Sudoers I/O plugin version 1.9.5p2
    Sudoers audit plugin version 1.9.5p2
    ​


    ------------------------------
    Plamen Tanovski
    ------------------------------



  • 58.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Fri January 29, 2021 08:12 AM
    Hi Ayappan,
    I am getting this error when I try to update sudo in my environment
    we are currrently at 1.8.15

    # rpm -Uvh sudo-1.9.5p2-1.aix6.1.ppc.rpm
    Preparing... ################################# [100%]
    package sudo-2008050201:1.8.15-1noldap.ppc (which is newer than sudo-1.9.5p2-1.ppc) is already installed

    Can you please help here?

    ------------------------------
    Hemanth Kumar
    ------------------------------



  • 59.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Fri January 29, 2021 08:14 AM
    Use "--force" option.

    rpm -Uvh --force sudo-1.9.5p2-1.aix6.1.ppc.rpm

    ------------------------------
    Ayappan P
    ------------------------------



  • 60.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Mon February 01, 2021 08:27 AM
    Thanks. That works

    ------------------------------
    Hemanth Kumar
    ------------------------------



  • 61.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Sat January 30, 2021 05:28 AM
    I need to upgrade from 1.8.14p3 to the latest level.

    What would be the best practice for upgrade?

    And Do we need to apply both sudo and sudo ids?


    ------------------------------
    Mohammed Kafiluzaman P
    ------------------------------



  • 62.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Fri February 05, 2021 09:33 AM
    The best practice to install any package from AIX toolbox is by using yum.
    sudo and sudo_ids both can not be installed together. 
    sudo_ids package is sudo package that works with IBM Directory Server and sudo works with openldap. 
    So you can choose one based on need and the ldap server you use. 
    If you do not have yum configured and can not configure then you will have to manually resolve all the dependencies and install all the dependent packages.

    ------------------------------
    SANKET RATHI
    ------------------------------



  • 63.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Mon February 01, 2021 03:03 AM
    Customer ask me if the sudo version 1.7.2p6 (sudo-1.7.2p6-1.ppc) on AIX 7200-04-02-2016 affect with this CVE-2021-3156.

    I read from link below. It seems to not be affected.
    --------------------------------------------------------------------
    https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit

    - The following versions of sudo are vulnerable:
      All legacy versions from 1.8.2 to 1.8.31p2
      All stable versions from 1.9.0 to 1.9.5p1
    --------------------------------------------------------------------
    Please advise. Thanks for your help.

    ------------------------------
    Premvadee KUSOLLERKDEE
    ------------------------------



  • 64.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Thu January 28, 2021 05:16 PM
    what is the patch for? I was able to compile sudo-1.9.5p2 under AIX 7.1 with the following config
    CC=xlc ./configure --disable-openssl --disable-nls --disable-log-server --disable-log-client

    best regards,
    Plamen

    ------------------------------
    Plamen Tanovski
    ------------------------------



  • 65.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Mon February 01, 2021 11:41 PM

    Hello  AIX open source community,

    I had customer case was related to this CVE number.

    ENV: Current AIX, rpm and sudo version.
         AIX : 7200-01-06-1914
         rpm : 4.13.0.1
        Sudo : 1.8.22

    Additional information:
    [AIX72test:root]/image/sudo# rpm -qa | grep AIX-rpm
    AIX-rpm-7.2.3.15-13.ppc

    [AIX72test:root]/image/sudo# rpm -q AIX-rpm --provides | grep -i ldap
    idsldap_plugin_ibm_gsskrb.a
    idsldap_plugin_sasl_digest-md5.a
    libibmldap.a
    libibmldapdbg.a
    libibmldapn.a
    libidsldap.a
    libidsldapiconv.a
    libsecldapaudit.a(shr.o)
    libsecldapaudit64.a(shr.o)
    nis_ldap.so
    nis_ldap_64.so
    rpcldap.so
    rpcldap_64.so
    [AIX72test:root]/image/sudo#

    Tried to install and getting errors.
    1. Download Sudo 1.9.5p2 is now available in AIX Toolbox.
    sudo --> https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/sudo/sudo-1.9.5p2-1.aix6.1.ppc.rpm

    2. Using smitty install getting errors.
    Command: failed stdout: yes stderr: no

    Before command completion, additional instructions may appear below.

    geninstall -I "agpQqwX -J" -Z -p -d . -f File 2>&1

    File:
    sudo-1.9.5p2-1



    Validating RPM package selections ...


    +-----------------------------------------------------------------------------+
    RPM Error Summary:
    +-----------------------------------------------------------------------------+
    The following errors occurred during installation:
    error: Failed dependencies:
    liblber.a(liblber-2.4.so.2) is needed by sudo-1.9.5p2-1.ppc
    libldap.a(libldap-2.4.so.2) is needed by sudo-1.9.5p2-1.ppc
    openldap >= 2.4.48-1 is needed by sudo-1.9.5p2-1.ppc

    Could you please help or share the step by step to install the sudo-1.9.5p2-1.aix6.1.ppc.rpm package in  AIX 7.2

    Best regards,
    Charin Kumjudpai.






    ------------------------------
    CHARIN KUMJUDPAI
    ------------------------------



  • 66.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Mon February 01, 2021 11:47 PM
    Sudo depends on openldap and sudo_ids depends on IBM ldap.
    Since you have IBM ldap installed, recommend you to install sudo_ids instead of sudo
    It's the same sudo but linked with IBM ldap instead openldap.

    https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/sudo/sudo_ids-1.9.5p2-1.aix6.1.ppc.rpm

    ------------------------------
    Ayappan P
    ------------------------------



  • 67.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Tue February 02, 2021 02:26 AM
    Edited by CHARIN KUMJUDPAI Tue February 02, 2021 02:27 AM
    Hello Ayappan P,

    I already suggested step to installation for sudo_ids was successful and I am not sure how to verify to make sure this issue was fixed not affected for AIX .
    Could any one help me for verify it.

    1. Download the Sudo 1.9.5p2 is now available in AIX Toolbox.
        sudo_ids --> https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/sudo/sudo_ids-1.9.5p2-1.aix6.1.ppc.rpm
       Package file name: sudo_ids-1.9.5p2-1.aix6.1.ppc.rpm

    2. Use the rpm command to install.
       # rpm -Uvh sudo_ids-1.9.5p2-1.aix6.1.ppc.rpm
       # sudo --version
       # sudoedit -s '\' `perl -e 'print "A" x 65536'`
       # ldd /usr/bin/sudo

    Herewith detail installation.
    [AIX72test:root]/image/sudo# echo ${LIBPATH}
    /opt/IBM/ldap/V6.2/lib64:/opt/IBM/ldap/V6.2/lib:/opt/freeware/lib:

    [AIX72test:root]/image/sudo# sudo --version
    Sudo version 1.9.5p2
    Configure options: --prefix=/opt/freeware --sbindir=/opt/freeware/sbin --mandir=/opt/freeware/man --libexecdir=/opt/freeware/libexec --docdir=/opt/freeware/share/doc/sudo_ids-1.9.5p2 --libdir=/opt/freeware/lib --with-logging=syslog --with-aixauth --with-logfac=auth --with-pam --with-pam-login --with-env-editor --with-ignore-dot --with-tty-tickets --with-ldap --with-ldap-conf-file=/etc/sudo-ldap.conf
    Sudoers policy plugin version 1.9.5p2
    Sudoers file grammar version 48
    ... << omitted >>...

    Sudoers I/O plugin version 1.9.5p2
    Sudoers audit plugin version 1.9.5p2

    [AIX72test:root]/image/sudo# sudoedit -s '\' `perl -e 'print "A" x 65536'`
    usage: sudoedit [-AknS] [-C num] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] file ...

    [AIX72test:root]/image/sudo# ldd /usr/bin/sudo
    /usr/bin/sudo needs:
    /opt/freeware/libexec/sudo/libsudo_util.so
    /opt/IBM/ldap/V6.2/lib64/libibmldap.a
    dump: /opt/IBM/ldap/V6.2/lib64/libibmldap.a: 0654-108 file is not valid in the current object file mode.
    Use the -X option to specify the desired object mode.
    /opt/freeware/lib/libintl.a(libintl.so.8)
    /usr/lib/libpthread.a(shr_xpg5.o)
    /usr/lib/libc.a(shr.o)
    /usr/lib/librtl.a(shr.o)
    /usr/lib/libpthreads.a(shr_xpg5.o)
    /unix
    /usr/lib/libpthreads.a(shr_comm.o)
    /usr/lib/libcrypt.a(shr.o)
    [AIX72test:root]/image/sudo#

    Thanks,
    Charin Kumjudpai.


    ------------------------------
    CHARIN KUMJUDPAI
    ------------------------------



  • 68.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Tue February 02, 2021 05:47 AM
    Hi Charin,

    maybe a chance to update IDS to latest level as well. With 6.2 you have no functioning TLS1.2 support at all.
    <main role="main" aria-label="">
    Version 6.2 is no longer a supported version of IBM Directory Server.
    End Of Support (EOS) date: 30-Sep-2016.
    </main>
    Official:
    https://www.ibm.com/support/pages/node/319123#ver64
    Client side:
    https://www.ibm.com/support/pages/how-use-latest-version-sdstds-ldap-client-libraries-secldapclntd-aix
    CHers Patrick

    ------------------------------
    Patrick Hügli
    ------------------------------



  • 69.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Fri February 05, 2021 06:19 PM
    Hi Ayyapan,

    We did not have IBM LDAP Installed - our current version is sudo-1.8.15-1noldap, trying to install sudo_ids-1.9.5p2-1.aix6.1.ppc.rpm, but left with this dependency: 
    error: Failed dependencies:
    libibmldap.a is needed by sudo_ids-1.9.5p2-1.ppc
    sudo conflicts with sudo_ids-1.9.5p2-1.ppc

    note: we couldn't install yum to resolve deps, please advise.

    ------------------------------
    Dhileeban Sridharan
    ------------------------------



  • 70.  RE: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    Posted Tue February 09, 2021 09:58 AM
    As many users request for noldap version of sudo today we published sudo_noldap version of 1.9.5p2

    https://community.ibm.com/community/user/power/communities/community-home/digestviewer/viewthread?MessageKey=6ab2ee24-3726-430e-8234-e0be28fe98c1&CommunityKey=10c1d831-47ee-4d92-a138-b03f7896f7c9&tab=digestviewer#bm6ab2ee24-3726-430e-8234-e0be28fe98c1

    ------------------------------
    SANKET RATHI
    ------------------------------