Repair Centre Location:

Motherwell | North Lanarkshire

TTG Phone Number:

01698 533212

Customer Service Email:

cs@thetechguys.site

Tag Archive

Latest macOS Big Sur also has SUDO root privilege escalation flaw

Latest macOS Big Sur also has SUDO root privilege escalation flaw

A recently discovered heap-based buffer overflow vulnerability in Linux SUDO also impacts the latest version of Apple macOS Big Sur, with no patch available yet.

Last week, The Technology Guys Ltd had reported on CVE-2021-3156 aka Baron Samedit, a flaw in SUDO which lets local users gain root privileges.

Sudo is a Unix program that enables system admins to provide limited root privileges to normal users listed in the sudoers file, while at the same time keeping a log of their activity.

This helps limits the rights of standard users on an operating system by preventing them from executing high-risk commands and programs which may compromise the system’s security.



By exploiting Baron Samedit, standard non-root users on Linux, and now on macOS systems can execute applications with root privileges.

Sudo vulnerability impacts latest macOS version
This week, multiple security researchers have noticed that the sudo privilege escalation vulnerability CVE-2021-3156 also impacts the latest versions of Apple macOS Big Sur.

While the vulnerability was patched in multiple Linux distributions including Ubuntu, Debian, and Fedora, according to Qualys Research Team’s original blog disclosure, a fix is not yet available for macOS.

CVE-2021-3156 also impacts Apple macOS Big Sur (unpatched at present) Source: Twitter

CVE-2021-3156 also impacts Apple macOS Big Sur (unpatched at present)
Source: Twitter

PoC exploits available in the wild

To demonstrate the claim, the researcher Matthew Hickey (Hacker Fantastic), the co-founder of Hacker House coded a simplistic Proof-of-Concept (PoC) exploit of under ten lines that can enable standard macOS users to elevate their privileges to root.

CVE-2021-3156 PoC exploit for macOS

CVE-2021-3156 PoC exploit for macOS
Source: Pastebin

PoC exploits for the Baron Samedit vulnerability have also been published for Ubuntu and other Linux distributions.

IBM AIX Unix distros also remain vulnerable to Baron Samedit.

Hickey told ZDNet the vulnerability remained exploitable even in the most recent macOS version after he had applied Apple’s Monday security updates.

No patch is yet available for macOS users, and it is worth noting, the vulnerability might be possible to trigger on multiple system architectures.

Researchers have confirmed running the exploits successfully across both aarch64 and x86_64 architectures.

Microsoft Fixes Secure Boot Bug Allowing Windows Rootkit Installation

Microsoft Fixes Secure Boot Bug Allowing Windows Rootkit Installation

Microsoft has fixed a security feature bypass vulnerability in Secure Boot that allows attackers to compromise the operating system’s booting process even when Secure Boot is enabled.

Secure Boot
 blocks untrusted operating systems bootloaders on computers with Unified Extensible Firmware Interface (UEFI) firmware and a Trusted Platform Module (TPM) chip to help prevent 

rootkits

 from loading during the OS startup process.

Rootkits can be used by threat actors to inject malicious code into a computer’s UEFI firmware, to replace the operating system’s bootloader, to replace parts of the Windows kernel, or camouflage maliciously crafted drivers are
legitimate Windows drivers.

The security feature bypass flaw, tracked as 
CVE-2020-0689, has a publicly
available exploit code that works during most exploitation attempts which require running a specially crafted application.

“An attacker who successfully exploited the vulnerability might bypass secure boot and load untrusted software,” Microsoft explains.

Affected Windows versions include multiple Windows 10 releases (from v1607 to v1909), Windows 8.1, Windows Server 2012 R2, and Windows Server 2012.



How to install the security update

To block untrusted or known vulnerable third-party bootloaders when Secure Boot is toggled on, Windows devices with UEFI firmware use the Secure Boot Forbidden Signature Database (DBX).

The 
KB4535680
 security update released by Microsoft as part of the  January 2021 Patch Tuesday

 addresses the vulnerability by blocking known vulnerable third-party UEFI modules (bootloaders) to the DBX.

Users have to install this standalone security update in addition to the normal security update to block attacks designed to exploit this Secure Boot vulnerability.

If automatic updates are enabled on the computer, the security update will be installed automatically, without user intervention needed.

However, on systems where updates need to be installed manually, you will be required to first 
download KB4535680 for their
platform from the Microsoft Update Catalog.

Next, you will have to make sure that a specific Servicing Stack Update is installed before deploying the standalone security update (you can find the list 

here

).

If you also need to manually install the January 2021 Security Updates, the three updates should be installed in the following order:

  • Servicing Stack Update
  • Standalone Secure Boot Update listed in this CVE
  • January 2021 Security Update

On systems where Windows Defender Credential Guard (Virtual Secure Mode) is also enabled, installing the KB4535680 standalone update will require two additional reboots.

Microsoft also released guidance for applying Secure Boot DBX updates after the disclosure of the  BootHole GRUB bootloader vulnerability

 in July 2020 which also allows for Secure Boot bypass.

The company added at the time that it “plans to push an update to Windows Update to address” the BootHole vulnerability in 2021.