Updated: February 12, 2021
Is Centrify Service Suite agent (DirectControl) for UNIX and Linux affected by sudo vulnerability in CVE-2021-3156?
Yes. Centrify's the 2020.0 / 5.7.1 release is based on sudo 1.8.20p2 which is affected by the vulnerability. Previous versions of Centrify are also affected as they contain earlier versions of sudo that are also vulnerable. The National Institute of Standards and Technology (NIST) has given this vulnerability a base score of 7.8 high.Resolution:
On February 12, 2021, Centrify released a component update (Feb 2021 Component Update) for 2020.1 / 5.7.1 that contains a dzdo that has been patched with the fix from Sudo 1.9.5p2. This component update can be found on the Centrify Download Center and the Centrify Repository. The sudo fix / update will also be included in future GA release versions. Note, for the S390 platform, Centrify will provide a one-off with the fix in the latest S390 release, which is 2020 / 5.7.0. To get this one-off, please contact Centrify Technical Support.
Optional for older versions:
For customers who choose not to or are unable to upgrade to the latest 2020.1 / 5.7.1 component build at the current time, the affected dzedit and dzdo binaries can be swapped out with the updated ones. The 5.7.1 binaries can be swapped out on versions 5.6.0 up to 5.7.0.
Steps on how to replace the dzdo and dzedit binaries for 5.6.0 up to version 5.7.0.
1. From a system where the CentrifyDC agent was upgraded to the Centrify Component update (CentrifyDC-5.7.1-353), go to the following directory:
2. Copy the dzdo and dzedit binaries
3. On systems where the CentrifyDC agents are versions 5.6.0 to 5.7.0, those dzdo and dzedit binaries from the upgraded system can be copied into that same directory path to replace the existing unpatched versions. If prompted to replace/overwrite the existing files, please choose yes.
After copying in the new dzdo and dzedit binaries, to verify the new dzdo is in place, the following command can be run:
[root@filesvr10 ~]# dzdo -V | grep -i "dzdo version"
Dzdo version 5.7.1-353(based on Sudo version 1.8.20p2)
Note: The dzdo version with be 5.7.1-353, but the Sudo version will still show 1.8.20p2. The fix from Sudo 1.9.5p2 has been patched into the Sudo 1.8.20p2 version for CentrifyDC 2020.1 component update. The Sudo package that dzdo is based off of will be updated to 1.9.5p2 in the Centrify Infrastructure Services 2021 release.
4. To test if the remediation is in affect please run:
dzedit -s '\' `perl -e 'print "A" x 65536'`
A successful output will be:
[root@proxy ~]$ dzedit -s '\' `perl -e 'print "A" x 65536'`
usage: dzedit [-AknS] [-r role] [-t type] [-C num] [-g groupname|#gid] [-p prompt] [-T timeout] [-u username|#uid] file
An unsuccessful output will be:
[root@proxy ~]# dzedit -s '\' `perl -e 'print "A" x 65536'`
*** Error in `/usr/share/centrifydc/libexec/dzedit': realloc(): invalid next siz e: 0x0000000001094a90 ***
======= Backtrace: =========
CVE-2021-3156 provides the following description: "Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character."
For further reference:
(External link provided as a courtesy)