27-Jan-2021 03:10
27-Jan-2021 04:17
F5s seems to be vulnerable, to confirm, see below:
How can I test if I have vulnerable version?
To test if a system is vulnerable or not, login to the system as a non-root user.
Run command “sudoedit -s /”
If the system is vulnerable, it will respond with an error that starts with “sudoedit:”
If the system is patched, it will respond with an error that starts with “usage:”
27-Jan-2021 05:29
Thanks for the reply, that's interesting. My BIG-IP (15.1.04) instances return:
sudoedit: command not found
Running an rpm -qa query also doesn't show sudo being installed. Could sudo be installed on some versions and not others?
28-Jan-2021
00:16
- last edited on
04-Jun-2023
21:05
by
JimmyPackets
I have tried it on F5 v12.1.5.2
testuser@F5v12-1-5-2:~$ sudoedit -s /
sudoedit: /: not a regular file
testuser@F5v12-1-5-2:~$
Test on Linux vm before and after patch
testuser@vm-not-patched:~$ sudoedit -s /
sudoedit: /: not a regular file
testuser@vm-not-patched:~$
testuser@vm-patched:~$ sudoedit -s /
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file ...
testuser@vm-patched:~$
29-Jan-2021 11:10
I just opened a P2 case with F5 regarding this vulnerability. They responded saying BIG-IP devices are not affected and that F5 will have a public facing KB regarding the vulnerability in the next couple of days.
30-Jan-2021 12:18
BIG-IP found not to be vulnerable to CVE-2021-3156.
Article: K86488846 - Sudo vulnerability CVE-2021-3156 (f5.com)