Root Access Sudo Bug Found to Affect macOS Big Sur

A sudo bug that can grant an attacker root access has been discovered to affect macOS Big Sur (via ZDNet).

sudo bug macos

The security vulnerability, identified last week as "CVE-2021-3156" by the Qualys Security Team, affects sudo, which is a program that allows users to run commands with the security privileges of another user, such as an administrator. The bug triggers a "heap overflow" in sudo that changes the current user's privileges to enable root-level access. This can give an attacker access to the entire system. An attacker would need to gain low-level access to a system first to be able to exploit the bug, such as via planted malware.

Sudo is part of many Unix-like systems, including macOS, but it was initially unknown if the vulnerability affected Mac machines since it was only tested by Qualys on Ubuntu, Debian, and Fedora. Security researcher Matthew Hickey has now confirmed that the most recent version of macOS, macOS Big Sur 11.2 can be subject to the sudo attack.

Last week, there was speculation that the macOS Big Sur 11.2 update may address the sudo vulnerability, though it was not definitively known at the time if the bug would affect macOS. While it was found that sudo was left unchanged in macOS Big Sur 11.2, it is now clear that macOS is affected by the exploit.

With some minor modifications, Hickey found that the sudo bug could be used to grant attackers access to macOS root accounts, and the discovery has now been verified by Carnegie Mellon University vulnerability analyst Will Dormann.

Apple has reportedly been notified of the CVE-2021-3156 vulnerability, and due to the severity of the issue, a patch will likely be released soon.

Top Rated Comments

AttoA Avatar
13 months ago

Apple rushing beta software to market, again.
This vulnerability has been present for more than a decade in all sorts of UNIXes! It's not something at all limited to Apple's QA...
Score: 34 Votes (Like | Disagree)
Havalo Avatar
13 months ago


Attachment Image
Score: 31 Votes (Like | Disagree)
mannyvel Avatar
13 months ago

So, mostly free OSes. That's much of a defense....

Devs knew about the potential, and chose not to address it. They would rather rush a beta product to market.
One day you will learn more about software and you will look back at this comment and say "wow, I was totally clueless back then."
Score: 27 Votes (Like | Disagree)
Gabebear Avatar
13 months ago

Wow I thought this would have been patched out in 11.2. Hopefully we will get a
supplemental patch shortly.
It turns most fairly minor security issues into full-blown root exploits… fairly terrifying.
Score: 9 Votes (Like | Disagree)
opfor Avatar
13 months ago

I'd think we'd have better tools/procedures for finding bugs like this a lot sooner.

Is there not an automated tool that can look at some code and say "hey, right here it's possible for a heap overflow to occur and there's no error handling code to deal with it"?
Sure there are tools that catch some of these problems via static analysis etc and there are languages where this class of problems might not even occur.

But it is also true that the day that the CVE was released I updated my Linux servers and got a fixed/patched sudo, while even macOS 11.3 beta1 still has the issue, so this is also indicative of Apple release engineering capabilities, or lack of them.
Score: 8 Votes (Like | Disagree)
justperry Avatar
13 months ago

So is this a zero day, drive-by vulnerability? Or does the attacker have to have physical access?
Nope

"An attacker would need to gain low-level access to a system first to be able to exploit the bug, such as via planted malware."
Score: 8 Votes (Like | Disagree)

Related Stories

macOS Big Sur Feature Blue

Update to macOS 11.4 NOW - Someone Could Be Spying On You

Sunday May 30, 2021 9:40 am PDT by
Apple's recently released macOS Big Sur 11.4 update addresses a serious security vulnerability, so all users should complete the software update immediately. Jamf, a mobile device management company, raised a major security issue in macOS Big Sur that allowed attackers to piggyback apps like Zoom to surreptitiously take screenshots and record the screen. The exploit allowed a user's Privacy...
jamf malware secret screenshots

macOS Big Sur 11.4 Addresses Vulnerability That Could Let Attackers Take Secret Screenshots

Monday May 24, 2021 5:26 pm PDT by
macOS Big Sur 11.4, which was released this morning, addresses a zero-day vulnerability that could allow attackers to piggyback off of apps like Zoom, taking secret screenshots and surrepetiously recording the screen. Jamf, a mobile device management company, today highlighted a security issue that allowed Privacy preferences to be bypassed, providing an attacker with Full Disk Access,...
First Look Big Sur Feature2

Apple Releases macOS Big Sur 11.2.1 With Fix for MacBook Pro Charging Issue [Updated]

Tuesday February 9, 2021 10:13 am PST by
Apple today released macOS Big Sur 11.2.1, the third update to the macOS Big Sur operating system that launched in November. macOS Big Sur‌ 11.2.1 comes a little over a week after the release of macOS 11.2. The new ‌‌‌macOS Big Sur‌‌ 11.2.1‌ update can be downloaded for free on all eligible Macs using the Software Update section of System Preferences. According to Apple's...
macOS Big Sur Feature Blue

Apple Seeds Second Beta of macOS Big Sur 11.5 to Developers

Wednesday June 2, 2021 10:09 am PDT by
Apple today seeded the second beta of an upcoming macOS Big Sur 11.5 update to developers for testing purposes, with the new beta coming two weeks after the release of the first macOS Big Sur 11.5 beta. Developers can download the ‌‌‌‌macOS Big Sur‌‌‌‌ 11.5 beta using the Software Update mechanism in System Preferences after installing the proper profile from the Apple...
macOS 11

Apple Seeds Third Release Candidate Version of macOS Big Sur 11.2 to Developers [Update: Public Beta Too]

Thursday January 28, 2021 1:29 pm PST by
Apple today seeded a third RC version of an upcoming macOS Big Sur 11.2 update to developers for testing purposes, with the new update coming a week after the second RC and more than two months after initial macOS Big Sur release. Developers can download the updated ‌‌macOS Big Sur‌‌ 11.2 release candidate using the Software Update mechanism in System Preferences after installing the ...
macOS Big Sur Feature Triad

Apple Seeds Third Beta of macOS Big Sur 11.4 to Developers

Monday May 10, 2021 10:14 am PDT by
Apple today seeded the third beta of an upcoming macOS Big Sur 11.4 update to developers for testing purposes, with the new beta coming two weeks after the release of the second macOS Big Sur 11.4 beta. Developers can download the ‌‌‌macOS Big Sur‌‌‌ 11.4 beta using the Software Update mechanism in System Preferences after installing the proper profile from the Apple Developer...
sudo bug macos

macOS Big Sur 11.2.1 Fixes Root Access Sudo Bug

Tuesday February 9, 2021 11:32 am PST by
The macOS Big Sur 11.2.1 update that Apple released today fixes a sudo security vulnerability that could allow an attacker to gain root access to a Mac. According to an Apple security support document, the bug, CVE-2021-3156, was addressed in the update by updating to sudo version 1.9.5p2. Apple has also fixed the bug in Supplemental Updates made available for macOS Catalina 10.15.7 and...
First Look Big Sur Feature2

Apple Releases macOS Big Sur 11.2.2 to Prevent MacBooks From Being Damaged by Third-Party Non-Compliant Docks

Thursday February 25, 2021 10:07 am PST by
Apple today released macOS Big Sur 11.2.2, the fourth update to the macOS Big Sur operating system that launched in November. macOS Big Sur 11.2.2 comes two weeks after the release of macOS Big Sur 11.2.1, a bug fix update. The new ‌‌‌‌macOS Big Sur‌‌‌ 11.2.2‌ update can be downloaded for free on all eligible Macs using the Software Update section of System Preferences....

Popular Stories

iOS 15

Everything New in iOS 15.4 and iPadOS 15.4: Face ID With a Mask, Emojis, Apple Card Widget, Universal Control and More

Thursday January 27, 2022 12:08 pm PST by
Apple today seeded the first betas of iOS 15.4, iPadOS 15.4 to developers for testing purposes, adding a slew of new features to the latest iOS operating systems. iOS 15.4 is the biggest update that we've had to iOS 15 to date, and it brings Universal Control, Face ID with a mask, new emojis, and tons more. Face ID With a Mask With iOS 15.4, there is now an option to unlock your iPhone...
iOS 15

iOS 15.4 Adds New Emoji Like Melting Face, Biting Lip, Heart Hands, Troll and More

Thursday January 27, 2022 11:33 am PST by
With the iOS 15.4 update that was introduced today, Apple has added support for Emoji 14, introducing a selection of new emoji like melting face, biting lip, heart hands, and more. There are 37 new emoji and 75 skin tone additions in Emoji 14, resulting in a total of 112 characters. New faces include melting face, saluting face, face with open eyes and hand over mouth, face with peeking eye, ...
intel vs m1 max chip purple

Benchmarks Confirm Intel's Latest Core i9 Chip Outperforms Apple's M1 Max With Several Caveats

Wednesday January 26, 2022 8:56 am PST by
Benchmark results have started to surface for MSI's new GE76 Raider, one of the first laptops to be powered by Intel's new 12th-generation Core i9 processor. Intel previously said that its new high-end Core i9 processor is faster than Apple's M1 Max chip in the 16-inch MacBook Pro and, as noted by Macworld, early Geekbench 5 results do appear to confirm this claim, but there are several...
MAsk On Face ID iOS 15

iOS 15.4's Face ID With a Mask Feature Requires iPhone 12 or Newer

Thursday January 27, 2022 1:22 pm PST by
In today's iOS 15.4 beta that's available to developers, Apple added a useful new feature that changes the way Face ID works. There's now a Face ID with a Mask option that allows the iPhone to be unlocked when you're wearing a mask, but you need to have an iPhone 12 or newer. Right now, an iPhone can be unlocked with a mask if you have an Apple Watch for authentication to add an extra layer...
MAsk On Face ID iOS 15

iOS 15.4 Beta Lets You Use Face ID With a Mask On

Thursday January 27, 2022 10:54 am PST by
The iOS 15.4 beta that was introduced today added a new feature designed to allow Face ID to be used with a mask and without an Apple Watch for authentication. Apple says that the feature can "recognize the unique features around the eye" for authentication purposes. If you opt to use this feature during setup, you will need to rescan your face for Face ID. From there, Face ID will be able...
Apple Watch Red Yellow Green Feature 1

Apple Launches Black Unity Braided Solo Loop With 'Unity Lights' Watch Face

Wednesday January 26, 2022 6:05 am PST by
Apple today announced the Black Unity Braided Solo Loop for the Apple Watch, as well as a new downloadable watch face, to celebrate Black History Month. Following the launch of the limited edition Black Unity Apple Watch Series 6 and Sport Band in 2021, Apple today launched the Black Unity Braided Solo Loop as part of its celebrations for Black History Month this year.Apple is launching a...
ios 15

Apple Releases iOS 15.3 and iPadOS 15.3 With Fix for Safari Bug That Leaks Browsing Activity

Wednesday January 26, 2022 10:00 am PST by
Apple today released iOS 15.3 and iPadOS 15.3, the third major updates to the iOS and iPadOS 15 operating systems that were released in September 2021. iOS and iPadOS 15.3 come almost two weeks after the release of iOS and iPadOS 15.2.1, minor bug fix updates. The iOS 15.3 and iPadOS 15.3 updates can be downloaded for free and the software is available on all eligible devices over-the-air in ...
General Dropbox Feature

macOS 12.3 Will Include Cloud Storage Changes Affecting Dropbox and OneDrive

Tuesday January 25, 2022 3:31 pm PST by
Dropbox today announced that users who update to macOS 12.3 once that software version becomes available may temporarily encounter issues with opening online-only files in some third-party apps on their Mac. In a support document and an email to customers, Dropbox said it is actively working on full support for online-only files on macOS 12.3 and will begin rolling out an updated version of...