Root Access Sudo Bug Found to Affect macOS Big Sur

A sudo bug that can grant an attacker root access has been discovered to affect macOS Big Sur (via ZDNet).

sudo bug macos

The security vulnerability, identified last week as "CVE-2021-3156" by the Qualys Security Team, affects sudo, which is a program that allows users to run commands with the security privileges of another user, such as an administrator. The bug triggers a "heap overflow" in sudo that changes the current user's privileges to enable root-level access. This can give an attacker access to the entire system. An attacker would need to gain low-level access to a system first to be able to exploit the bug, such as via planted malware.

Sudo is part of many Unix-like systems, including macOS, but it was initially unknown if the vulnerability affected Mac machines since it was only tested by Qualys on Ubuntu, Debian, and Fedora. Security researcher Matthew Hickey has now confirmed that the most recent version of macOS, macOS Big Sur 11.2 can be subject to the sudo attack.

Last week, there was speculation that the ‌macOS Big Sur‌ 11.2 update may address the sudo vulnerability, though it was not definitively known at the time if the bug would affect macOS. While it was found that sudo was left unchanged in ‌macOS Big Sur‌ 11.2, it is now clear that macOS is affected by the exploit.

With some minor modifications, Hickey found that the sudo bug could be used to grant attackers access to macOS root accounts, and the discovery has now been verified by Carnegie Mellon University vulnerability analyst Will Dormann.

Apple has reportedly been notified of the CVE-2021-3156 vulnerability, and due to the severity of the issue, a patch will likely be released soon.

Top Rated Comments

AttoA Avatar
9 months ago

Apple rushing beta software to market, again.
This vulnerability has been present for more than a decade in all sorts of UNIXes! It's not something at all limited to Apple's QA...
Score: 34 Votes (Like | Disagree)
Havalo Avatar
9 months ago


Attachment Image
Score: 31 Votes (Like | Disagree)
mannyvel Avatar
9 months ago

So, mostly free OSes. That's much of a defense....

Devs knew about the potential, and chose not to address it. They would rather rush a beta product to market.
One day you will learn more about software and you will look back at this comment and say "wow, I was totally clueless back then."
Score: 27 Votes (Like | Disagree)
Gabebear Avatar
9 months ago

Wow I thought this would have been patched out in 11.2. Hopefully we will get a
supplemental patch shortly.
It turns most fairly minor security issues into full-blown root exploits… fairly terrifying.
Score: 9 Votes (Like | Disagree)
opfor Avatar
9 months ago

I'd think we'd have better tools/procedures for finding bugs like this a lot sooner.

Is there not an automated tool that can look at some code and say "hey, right here it's possible for a heap overflow to occur and there's no error handling code to deal with it"?
Sure there are tools that catch some of these problems via static analysis etc and there are languages where this class of problems might not even occur.

But it is also true that the day that the CVE was released I updated my Linux servers and got a fixed/patched sudo, while even macOS 11.3 beta1 still has the issue, so this is also indicative of Apple release engineering capabilities, or lack of them.
Score: 8 Votes (Like | Disagree)
justperry Avatar
9 months ago

So is this a zero day, drive-by vulnerability? Or does the attacker have to have physical access?
Nope

"An attacker would need to gain low-level access to a system first to be able to exploit the bug, such as via planted malware."
Score: 8 Votes (Like | Disagree)

Related Stories

macOS Big Sur Feature Blue

Update to macOS 11.4 NOW - Someone Could Be Spying On You

Sunday May 30, 2021 9:40 am PDT by
Apple's recently released macOS Big Sur 11.4 update addresses a serious security vulnerability, so all users should complete the software update immediately. Jamf, a mobile device management company, raised a major security issue in macOS Big Sur that allowed attackers to piggyback apps like Zoom to surreptitiously take screenshots and record the screen. The exploit allowed a user's Privacy...
jamf malware secret screenshots

macOS Big Sur 11.4 Addresses Vulnerability That Could Let Attackers Take Secret Screenshots

Monday May 24, 2021 5:26 pm PDT by
macOS Big Sur 11.4, which was released this morning, addresses a zero-day vulnerability that could allow attackers to piggyback off of apps like Zoom, taking secret screenshots and surrepetiously recording the screen. Jamf, a mobile device management company, today highlighted a security issue that allowed Privacy preferences to be bypassed, providing an attacker with Full Disk Access,...
First Look Big Sur Feature2

Apple Releases macOS Big Sur 11.2.1 With Fix for MacBook Pro Charging Issue [Updated]

Tuesday February 9, 2021 10:13 am PST by
Apple today released macOS Big Sur 11.2.1, the third update to the macOS Big Sur operating system that launched in November. macOS Big Sur‌ 11.2.1 comes a little over a week after the release of macOS 11.2. The new ‌‌‌macOS Big Sur‌‌ 11.2.1‌ update can be downloaded for free on all eligible Macs using the Software Update section of System Preferences. According to Apple's...
macOS Big Sur Feature Blue

Apple Seeds Second Beta of macOS Big Sur 11.5 to Developers

Wednesday June 2, 2021 10:09 am PDT by
Apple today seeded the second beta of an upcoming macOS Big Sur 11.5 update to developers for testing purposes, with the new beta coming two weeks after the release of the first macOS Big Sur 11.5 beta. Developers can download the ‌‌‌‌macOS Big Sur‌‌‌‌ 11.5 beta using the Software Update mechanism in System Preferences after installing the proper profile from the Apple...
macOS 11

Apple Seeds Third Release Candidate Version of macOS Big Sur 11.2 to Developers [Update: Public Beta Too]

Thursday January 28, 2021 1:29 pm PST by
Apple today seeded a third RC version of an upcoming macOS Big Sur 11.2 update to developers for testing purposes, with the new update coming a week after the second RC and more than two months after initial macOS Big Sur release. Developers can download the updated ‌‌macOS Big Sur‌‌ 11.2 release candidate using the Software Update mechanism in System Preferences after installing the ...
macOS Big Sur Feature Triad

Apple Seeds Third Beta of macOS Big Sur 11.4 to Developers

Monday May 10, 2021 10:14 am PDT by
Apple today seeded the third beta of an upcoming macOS Big Sur 11.4 update to developers for testing purposes, with the new beta coming two weeks after the release of the second macOS Big Sur 11.4 beta. Developers can download the ‌‌‌macOS Big Sur‌‌‌ 11.4 beta using the Software Update mechanism in System Preferences after installing the proper profile from the Apple Developer...
sudo bug macos

macOS Big Sur 11.2.1 Fixes Root Access Sudo Bug

Tuesday February 9, 2021 11:32 am PST by
The macOS Big Sur 11.2.1 update that Apple released today fixes a sudo security vulnerability that could allow an attacker to gain root access to a Mac. According to an Apple security support document, the bug, CVE-2021-3156, was addressed in the update by updating to sudo version 1.9.5p2. Apple has also fixed the bug in Supplemental Updates made available for macOS Catalina 10.15.7 and...
First Look Big Sur Feature2

Apple Releases macOS Big Sur 11.2.2 to Prevent MacBooks From Being Damaged by Third-Party Non-Compliant Docks

Thursday February 25, 2021 10:07 am PST by
Apple today released macOS Big Sur 11.2.2, the fourth update to the macOS Big Sur operating system that launched in November. macOS Big Sur 11.2.2 comes two weeks after the release of macOS Big Sur 11.2.1, a bug fix update. The new ‌‌‌‌macOS Big Sur‌‌‌ 11.2.2‌ update can be downloaded for free on all eligible Macs using the Software Update section of System Preferences....
macOS Big Sur Feature Orange

Apple Releases macOS Big Sur 11.2.3 With WebKit Security Fix

Monday March 8, 2021 10:12 am PST by
Apple today released macOS Big Sur 11.2.3, the fifth update to the macOS Big Sur operating system that launched in November. macOS Big Sur 11.2.3 comes two weeks after the release of macOS 11.2.2, a bug fix update. The new ‌‌‌‌‌macOS Big Sur‌‌‌‌ 11.2.3 update can be downloaded for free on all eligible Macs using the Software Update section of System Preferences. Apple...
macOS 11

Apple Seeds Second Beta of macOS Big Sur 11.2 to Developers [Update: Public Beta Available]

Wednesday January 13, 2021 10:02 am PST by
Apple today seeded the second beta of an upcoming macOS Big Sur 11.2 update to developers for testing purposes, with the new beta coming a month after the first beta and two months after the initial macOS Big Sur release. Developers can download the ‌‌macOS Big Sur‌‌ 11.2 beta using the Software Update mechanism in System Preferences after installing the proper profile from the Apple ...