Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

CVE-2021-3156 | SUDO Heap-based Buffer Overflow

Barny_Riches
Nimbostratus
Nimbostratus

‎27-Jan-2021 03:10

Are any of the BIG-IP versions affected by the recent SUDO vulnerability announcement? I have checked our F5 estate and I don't believe that the SUDO package is installed or used, but I just want to be sure.

Labels:
0 Kudos
6 REPLIES 6

DMan
Nimbostratus
Nimbostratus

‎27-Jan-2021 04:17

F5s seems to be vulnerable, to confirm, see below:

 

How can I test if I have vulnerable version?

To test if a system is vulnerable or not, login to the system as a non-root user.

Run command “sudoedit -s /”

If the system is vulnerable, it will respond with an error that starts with “sudoedit:”

If the system is patched, it will respond with an error that starts with “usage:”

0 Kudos

Barny_Riches
Nimbostratus
Nimbostratus
In response to DMan

‎27-Jan-2021 05:29

Thanks for the reply, that's interesting. My BIG-IP (15.1.04) instances return:

sudoedit: command not found

Running an rpm -qa query also doesn't show sudo being installed. Could sudo be installed on some versions and not others?

0 Kudos

DMan
Nimbostratus
Nimbostratus

‎27-Jan-2021 11:53

Interesting - I have tried it on v14.1.x and 15.1.2 boxes and when i type the "sudoedit -s /" getting a sudoedit: error response back.

0 Kudos

Marcel_Vanko
Nimbostratus
Nimbostratus

‎28-Jan-2021 00:16 - last edited on ‎04-Jun-2023 21:05 by Fog

I have tried it on F5 v12.1.5.2

testuser@F5v12-1-5-2:~$ sudoedit -s /
sudoedit: /: not a regular file
testuser@F5v12-1-5-2:~$

Test on Linux vm before and after patch

testuser@vm-not-patched:~$ sudoedit -s /
sudoedit: /: not a regular file
testuser@vm-not-patched:~$ 
 
testuser@vm-patched:~$ sudoedit -s /
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file ...
testuser@vm-patched:~$
0 Kudos

alanjohnson7467
Cirrus
Cirrus

‎29-Jan-2021 11:10

I just opened a P2 case with F5 regarding this vulnerability. They responded saying BIG-IP devices are not affected and that F5 will have a public facing KB regarding the vulnerability in the next couple of days.

0 Kudos

Damian_Foitzik-
F5 Employee
F5 Employee

‎30-Jan-2021 12:18

BIG-IP found not to be vulnerable to CVE-2021-3156.

Article: K86488846 - Sudo vulnerability CVE-2021-3156 (f5.com)

Copyright © 2023 Khoros, LLC