Root Access Sudo Bug Found to Affect macOS Big Sur

A sudo bug that can grant an attacker root access has been discovered to affect macOS Big Sur (via ZDNet).

sudo bug macos

The security vulnerability, identified last week as "CVE-2021-3156" by the Qualys Security Team, affects sudo, which is a program that allows users to run commands with the security privileges of another user, such as an administrator. The bug triggers a "heap overflow" in sudo that changes the current user's privileges to enable root-level access. This can give an attacker access to the entire system. An attacker would need to gain low-level access to a system first to be able to exploit the bug, such as via planted malware.

Sudo is part of many Unix-like systems, including macOS, but it was initially unknown if the vulnerability affected Mac machines since it was only tested by Qualys on Ubuntu, Debian, and Fedora. Security researcher Matthew Hickey has now confirmed that the most recent version of macOS, macOS Big Sur 11.2 can be subject to the sudo attack.

Last week, there was speculation that the macOS Big Sur 11.2 update may address the sudo vulnerability, though it was not definitively known at the time if the bug would affect macOS. While it was found that sudo was left unchanged in macOS Big Sur 11.2, it is now clear that macOS is affected by the exploit.

With some minor modifications, Hickey found that the sudo bug could be used to grant attackers access to macOS root accounts, and the discovery has now been verified by Carnegie Mellon University vulnerability analyst Will Dormann.

Apple has reportedly been notified of the CVE-2021-3156 vulnerability, and due to the severity of the issue, a patch will likely be released soon.

Top Rated Comments

AttoA Avatar
17 months ago

Apple rushing beta software to market, again.
This vulnerability has been present for more than a decade in all sorts of UNIXes! It's not something at all limited to Apple's QA...
Score: 34 Votes (Like | Disagree)
Havalo Avatar
17 months ago


Attachment Image
Score: 31 Votes (Like | Disagree)
mannyvel Avatar
17 months ago

So, mostly free OSes. That's much of a defense....

Devs knew about the potential, and chose not to address it. They would rather rush a beta product to market.
One day you will learn more about software and you will look back at this comment and say "wow, I was totally clueless back then."
Score: 27 Votes (Like | Disagree)
Gabebear Avatar
17 months ago

Wow I thought this would have been patched out in 11.2. Hopefully we will get a
supplemental patch shortly.
It turns most fairly minor security issues into full-blown root exploits… fairly terrifying.
Score: 9 Votes (Like | Disagree)
opfor Avatar
17 months ago

I'd think we'd have better tools/procedures for finding bugs like this a lot sooner.

Is there not an automated tool that can look at some code and say "hey, right here it's possible for a heap overflow to occur and there's no error handling code to deal with it"?
Sure there are tools that catch some of these problems via static analysis etc and there are languages where this class of problems might not even occur.

But it is also true that the day that the CVE was released I updated my Linux servers and got a fixed/patched sudo, while even macOS 11.3 beta1 still has the issue, so this is also indicative of Apple release engineering capabilities, or lack of them.
Score: 8 Votes (Like | Disagree)
justperry Avatar
17 months ago

So is this a zero day, drive-by vulnerability? Or does the attacker have to have physical access?
Nope

"An attacker would need to gain low-level access to a system first to be able to exploit the bug, such as via planted malware."
Score: 8 Votes (Like | Disagree)

Related Stories

jamf malware secret screenshots

macOS Big Sur 11.4 Addresses Vulnerability That Could Let Attackers Take Secret Screenshots

Monday May 24, 2021 5:26 pm PDT by
macOS Big Sur 11.4, which was released this morning, addresses a zero-day vulnerability that could allow attackers to piggyback off of apps like Zoom, taking secret screenshots and surrepetiously recording the screen. Jamf, a mobile device management company, today highlighted a security issue that allowed Privacy preferences to be bypassed, providing an attacker with Full Disk Access,...
macOS Big Sur Feature Triad

Apple Releases macOS Big Sur 11.6.1 With Security Fixes

Tuesday October 26, 2021 12:53 am PDT by
Apple today released macOS Big Sur 11.6.1, a minor update to the macOS Big Sur operating system that first came out in November 2020. macOS Big Sur 11.6.1 comes roughly six weeks after the launch of macOS Big Sur 11.6. The new ‌‌‌‌‌‌‌macOS Big Sur‌‌‌‌‌‌ 11.6.1 update can be downloaded to all eligible Macs using the Software Update section of System Preferences....
macOS Big Sur Feature Blue

Apple Seeds Third Beta of macOS Big Sur 11.5 to Developers

Monday June 14, 2021 10:04 am PDT by
Apple today seeded the third beta of an upcoming macOS Big Sur 11.5 update to developers for testing purposes, with the new beta coming two weeks after the release of the second macOS Big Sur 11.5 beta. Developers can download the ‌‌‌‌macOS Big Sur‌‌‌‌ 11.5 beta using the Software Update mechanism in System Preferences after installing the proper profile from the Apple...
macOS Big Sur Feature Blue

Update to macOS 11.4 NOW - Someone Could Be Spying On You

Sunday May 30, 2021 9:40 am PDT by
Apple's recently released macOS Big Sur 11.4 update addresses a serious security vulnerability, so all users should complete the software update immediately. Jamf, a mobile device management company, raised a major security issue in macOS Big Sur that allowed attackers to piggyback apps like Zoom to surreptitiously take screenshots and record the screen. The exploit allowed a user's Privacy...
macOS Big Sur Feature Triad

Apple Releases macOS Big Sur 11.5.1 With Security Updates

Monday July 26, 2021 10:20 am PDT by
Apple today released macOS Big Sur 11.5.1, a minor bug fix update that comes close to one week after the launch of macOS Big Sur 11.5. The new ‌‌‌‌‌‌macOS Big Sur‌‌‌‌‌ 11.5.1 update can be downloaded for free on all eligible Macs using the Software Update section of System Preferences. According to Apple, macOS Big Sur 11.5.1 brings important security updates and is...
macOS Big Sur Feature Blue

Apple Seeds Second Release Candidate Version of macOS Big Sur 11.5 to Developers

Monday July 19, 2021 10:40 am PDT by
Apple today seeded a second release candidate version of an upcoming macOS Big Sur 11.5 update to developers for testing purposes, with the new update coming one week after the release of the first RC version. Developers can download the ‌‌‌‌macOS Big Sur‌‌‌‌ 11.5 beta using the Software Update mechanism in System Preferences after installing the proper profile from the Apple ...
macOS Big Sur Feature Purple

Apple Seeds First Beta of macOS Big Sur 11.4 to Developers [Update: Public Beta Available]

Wednesday April 21, 2021 10:26 am PDT by
Apple today seeded the first beta of an upcoming macOS Big Sur 11.4 update to developers for testing purposes, with the new beta coming while the macOS 11.3 beta is still in testing. Developers can download the ‌‌‌macOS Big Sur‌‌‌ 11.4 beta using the Software Update mechanism in System Preferences after installing the proper profile from the Apple Developer Center. According...
macOS Big Sur Feature Orange

Apple Releases macOS Big Sur 11.5.2 With Bug Fixes

Wednesday August 11, 2021 10:17 am PDT by
Apple has released a new macOS Big Sur 11.5.2 update, delivering unspecified bug fixes for Mac users running the latest major operating system version. The update comes a little over two weeks after Apple released macOS 11.5.1. The new ‌‌‌‌‌‌‌macOS Big Sur‌‌‌‌‌‌ 11.5.2 update can be downloaded for free on all eligible Macs using the Software Update section of System ...

Popular Stories

iPhone 13 Always On Feature

iPhone 14 Pro Screen Refresh Rate Upgrade Could Allow for Always-On Display

Tuesday May 24, 2022 7:23 am PDT by
Last year's iPhone 13 Pro models were the first of Apple's smartphones to come with 120Hz ProMotion displays, and while the two iPhone 14 Pro models will continue to feature the technology, their screens could well boast expanded refresh rate variability this time round. To bring ProMotion displays to the ‌iPhone 13 Pro models‌, Apple adopted LTPO panel technology with variable refresh...
iPhone 14 Pro Purple Front and Back MacRumors Exclusive

iPhone 14 Pro Renders Highlight Multiple Design Changes

Wednesday May 25, 2022 8:56 am PDT by
Leaker Jon Prosser today shared ostensibly accurate renders of the iPhone 14 Pro, providing the most accurate look yet at what the device could look like when it launches later this year. In the latest video on YouTube channel Front Page Tech, Prosser revealed renders of the iPhone 14 Pro made by Apple concept graphic designer Ian Zelbo, highlighting a range of specific design changes...
iPhone 14 Purple Lineup Feature

Will the iPhone 14 Be a Disappointment?

Saturday May 21, 2022 9:00 am PDT by
With around four months to go before Apple is expected to unveil the iPhone 14 lineup, the overwhelming majority of rumors related to the new devices so far have focused on the iPhone 14 Pro, rather than the standard iPhone 14 – leading to questions about how different the iPhone 14 will actually be from its predecessor, the iPhone 13. The iPhone 14 Pro and iPhone 14 Pro Max are expected...
iPhone 13 Face ID

'High-End' iPhone 14 Front-Facing Camera to Cost Apple Three Times More

Monday May 23, 2022 7:05 am PDT by
The iPhone 14 will feature a more expensive "high-end" front-facing camera with autofocus, partly made in South Korea for the first time, ET News reports. Apple reportedly ousted a Chinese candidate to choose LG Innotek, a South Korean company, to supply the iPhone 14's front-facing camera alongside Japan's Sharp. The company is said to have originally planned to switch to LG for the iPhone...
apple wwdc 2022

Apple Shares WWDC 2022 Schedule, Keynote to Take Place June 6 at 10:00 a.m PT

Tuesday May 24, 2022 9:06 am PDT by
Apple today confirmed that the keynote event for the Worldwide Developers Conference will begin at 10:00 a.m. Pacific Time on June 6, the first day of WWDC. The keynote will be an online-only event, though a select number of developers have been invited to the Apple Park campus for a viewing event. In addition to confirming the keynote date and time, Apple has shared the full WWDC 2022...
2022 Apple Watch Pride Edition Bands

Apple Announces 2022 Pride Edition Watch Bands and Watch Face

Tuesday May 24, 2022 6:24 am PDT by
Apple today announced new Pride bands for the Apple Watch, with new Pride Edition Sport Loop and Pride Edition Nike Sport Loop options available. The new Pride Edition bands are available to order today for $49 on Apple.com and in the Apple Store app, and will be available at Apple Store locations starting May 26. The Pride Edition Nike Sport Loop is also coming soon to Nike.com. This...