A critical security vulnerability has been discovered in a utility installed on most Linux-based operating systems. The utility, Sudo, allows system administrators to give certain users the ability to run some commands as root or another user.

If exploited by an attacker, the vulnerability could allow any authenticated user to gain root access on the system, even if the account isn’t in the configuration file /etc/sudoers.

Pitt IT recommends that systems administrators patch affected systems as quickly as possible, prioritizing systems that have low-privileged accounts.

Additional details about the vulnerability are available from the following sources:

• 10-year-old Sudo bug lets Linux users gain root-level access (ZDNet)
• Privilege escalation via command line argument parsing – sudo (RedHat Customer Portal)
• CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Qualys)

Please contact the Technology Help Desk at 412-624-HELP (4357) if you have any questions regarding this announcement.