cve-2021-3156-sudo

This module inventories and remediates CVE-2021-3156, a heap overflow in sudo that allows privilege escalation.

Maintainer

Nick Anderson

Module stats

Total Downloads: 247
Updated: Dec 23, 2021

Installation version

Version
Released on Dec 15, 2021

Tags

Installation

                    
cfbs add cve-2021-3156-sudo
Description
Dependencies
Comments

CVE-2021-3156 describes a heap overflow vulnerability in sudo discovered by security researchers from Qualys. This vulnerability allows an unprivileged user to gain root privileges without authentication.

This policy tests for the presence of the vulnerability and inventories it's presence. If the vulnerability is present sudo promises to run the most recent version available in warning mode unless default:cve_2021_3156_remediate or northerntech_security_hardening:cve_2021_3156_remediate is defined in which case sudo is automatically upgraded to the latest version available.

Recommendation: Upgrade sudo to a version that is not vulnerable

Inventory

CVE

Defined with value CVE-2021-3156 when the vulnerability is present.

https://raw.githubusercontent.com/nickanderson/cfengine-security-hardening/master/cves/cve-2021-3156-sudo/host-info-invenory.png

Configuration

default:cve_2021_3156_remediate or northerntech_security_hardening:cve_2021_3156_remediate

When defined, if the vulnerability is found the policy tries to upgrade sudo to the latest available version. When not defined, sudo upgrade to latest version is promised as a warning only.

https://raw.githubusercontent.com/nickanderson/cfengine-security-hardening/master/cves/cve-2021-3156-sudo/policy-analyzer-warning-promised.png

Dependencies

This module has no dependencies

comments powered by Disqus