The sudo privilege-escalation vulnerability and how to future-proof yourself against the likes of it

On January 16th, 2021, Qualys Research Labs disclosed a privilege escalation vulnerability in no other than the Linux sudo utility. It was filed as CVE-2021–3156. The vulnerability was caused by a heap-overflow bug and allows any local user on a Linux machine to obtain root privileges without proper authentication. Introduced in July 2011, it remained unknown to the general public up until now and affected all legacy versions of sudo from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1.

What is scary about this vulnerability is that we can imagine sudo to be a very logical place for actors such as commercially incentivized blackhats, and nation-state sponsored hacking groups to look for a vulnerability. Being present on most distributions and versions of Unix/Linux, it is a great target to poke holes at. We can only guess whether this vulnerability was known to any actors prior to the Qualys disclosure, or whether exploits based on it were already circulating through the underground vulnerability marketplaces.

We’re not going to dive here into how to detect and remediate this particular vulnerability. There are many other online resources addressing those points. What I want to talk about is a more generic step you can take to protect your data in light of the possibility of such events. The problem is that this is not the last major privilege escalation vulnerability you are going to see. There is a steady stream of disclosures of such. The operating system, and all the drivers and privileged utilities and agents provide a large attack surface and ample opportunities to bypass the permissions assigned to a non-administrative user. Sometimes it’s due to bugs like in this case, and sometimes due to misconfiguration. The question is whether you can do something other than chasing your tail patching your systems, and hoping they weren’t already infiltrated by actors that might have had a zero-day at their hands prior to the disclosure.

At Anjuna, we believe that new technologies falling under the category of Secure Enclaves, or Confidential Computing, can future proof your infrastructure against such vulnerabilities. Secure Enclaves are safe havens for sensitive applications and data on a potentially compromised machine. They can protect data on a machine, even while it is being processed, even from an attacker that managed to escalate their privileges to gain root access and has otherwise full control of the host (whether it is a bare-metal machine, a Virtual Machine, cloud instance, etc.).
Secure Enclaves rely on processors’ new capability to encrypt memory used by one piece of code, such that no other code (even kernel, drivers, or applications running as root) could access it. This enables to separate between the privileges of an infrastructure admin (or an attacker that poses as one) and the users of the sensitive application.
For instance, if you’re hosting a MySQL or MariaDB database containing the PII of your customers, you don’t necessarily want your Linux admin to have access to it. And you definitely don’t want an attacker that got a hold of the VM to dump the memory of this database or read the files that store its tables and get their hands on the data. A Secure Enclave enables you to run the database such that it is isolated from the rest of the host and any other applications on it, and even a kernel-mode driver cannot read its memory. This doesn’t prevent the attacker to exploit the sudo vulnerability, but it does render it ineffective and inconsequential in terms of accessing data in that sensitive database — even running as root the attacker won’t be able to access the database content.

Anjuna works with various technologies, such as Intel® Software Guard Extensions (SGX), AMD Secure Encrypted Virtualization (SEV), and Amazon Nitro Enclaves, to enable an easy lift-and-shift of applications into enclaves without the need to modify the application. If you are interested to learn more about Secure Enclaves, Trusted Execution Environments (TEE), and Confidential Computing, you’re welcome to contact us at info@anjuna.io, or through our website.