Hewlett Packard Enterprise (HPE) is warning of a high-severity privilege escalation vulnerability in Sudo open-source program used within its Aruba AirWave management platform. The Aruba AirWave management platform is a real-time monitoring and security alert platform designed by HPE.
An unprivileged and unauthenticated local attacker could exploit the vulnerability to gain root privileges on a vulnerable host.
“A vulnerability in the command line parameter parsing code of sudo could allow an attacker with access to sudo to execute commands or binaries with root privileges. The main impact of this vulnerability would be as part of a “chained attack” where an attacker has achieved a foothold with lower privileges via another vulnerability and then uses this to escalate privileges.” reads the security advisory.
Experts warn that this flaw could be chained with other vulnerabilities by an attacker with lower privileges to escalate them once obtained access to the target system.
The CVE-2021-3156 was discovered by Qualys researchers in January, it has allowed any local user to gain root privileges on Unix-like operating systems without authentication.
Sudo is one of the most important, powerful, and commonly used utilities that comes as a core command pre-installed on macOS and almost every UNIX or Linux-based operating system.
sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. It originally stood for “superuser do” as the older versions of sudo were designed to run commands only as the superuser.
The Sudo CVE-2021-3156 vulnerability, dubbed Baron Samedit, is a heap-based buffer overflow that was reported on January 13th and disclosed at the end of January to give the development team the time to address the issue.
HPE confirmed that the flaw affected the AirWave management platform prior to version 22.214.171.124 that was released on June 18, 2021.
HPE also provided a workaround for HPE AirWave customers and pointed out that Aruba is not aware of any attacks in the wild against Aruba products exploiting the above vulnerability.
“To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces for AirWave be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above.” concludes the advisory.