Security Advisory – Apple and Linux/Unix

February 1st, 2021 Update: All Apple MacOS products are also at risk for the sudo privilege escalation vulnerability details in CVE-2021-3156. Patch these operating systems as soon as you have the chance. 

– CyberHoot would like to thank Roy for providing this info to us. Thanks Roy!
January 27th, 2021: Today CyberHoot received notification of two (2) critical risks to our cybersecurity lives. The first was from Apple and the second related to most versions of Unix and Linux. Both advisories requested people to update or patch their system or risk their phone or computer being totally compromised. CyberHoot decided to share this advisory with our administrators for awareness purposes.

Apple iOS Critical Risk

On Jan 27th Apple released a critical update to its iOS and iPadOS devices, version 14.4. This update is critical, as it includes a patch that covers three vulnerabilities numbered CVE-2021-1870, -1871, and -1872. 

Here is the notice from Apple:
Available for: iPhone 6s and later, iPad Air 2 and later, 
               iPad mini 4 and later, and iPod touch (7th generation)

Impact:        A malicious application may be able to elevate privileges.
               Apple is aware of a report that this issue 
               may have been actively exploited.
Description:   A race condition was addressed with improved locking.
CVE-2021-1782: an anonymous researcher

Available for: iPhone 6s and later, iPad Air 2 and later, 
               iPad mini 4 and later, and iPod touch (7th generation)

Impact:        A remote attacker may be able to cause arbitrary code execution. 
               Apple is aware of a report that this issue 
               may have been actively exploited.
Description:   A logic issue was addressed with improved restrictions.
CVE-2021-1871: an anonymous researcher
CVE-2021-1870: an anonymous researcher

What Does Apple Vulnerability Mean for SMBs and MSPs?

It means you should update your Apple devices as soon as possible to avoid the risk of “arbitrary code execution” which translates to hackers can easily break into your device and steal your data.

In the advisory sent out by Apple, they said, “this issue may have been actively exploited“, which you can translate as “this is a zero-day bug that hackers already know how to exploit“.

Zero-days, are working attacks that the hackers have found first, so even the best-informed IT professionals in the world have had zero days during which they could have patched ahead of the crooks attacking. In other words, patch right now. 

The vulnerabilities patched such as the ones listed above often appear in the wild in pairs because they’re more dangerous when combined. A kernel elevation of privilege bug (EoP) is dangerous because it could give an attacker access to absolutely everything on your device, not just to the data that belongs to an individual app.

What Should I Do?

Even if you’ve enabled automatic updates, check whether you have received the update yet. If you check and you already have 14.4, you are safe for now; if you don’t have 14.4 then your phone will offer to get it for you right away – do it! 

The area to go to is Settings > General > Software Update.

Sudo Utility for Linux OS

Sudo is a critical command in the UNIX world.  It literally means “SuperUser Do” this.  SUDO. This utility appears in all Unix and Linux-based operating systems and was patched this week to address a critical buffer overflow vulnerability that gives unauthenticated local users root access to the host system (Root Access is like domain admin access to a Windows server). The Qualys security researchers who discovered the bug (CVE-2021-3156) said it was introduced nearly 10 years ago in July 2011 and impacts all versions of sudo from 1.8.2 to 1.8.31p2 and 1.9.0 through 1.9.5p1.

Independent researchers have been able to verify the vulnerability and exploit it in multiple ways to gain root access to various Linux operating systems including Debian, Ubuntu, Fedora, and others according to Qualys. Other operating systems and distributions are likely vulnerable.

What Should I Do?

Patch your systems asap. There are no mitigating controls that can prevent this root exploit from working except to patch your system with your vendor-supplied patch.  Since this was reported by a professional security researcher, its very likely that all OS vendors were notified months ago and quietly prepared a patch to be included a least a month ago in regular patch cycles.  This would be following on responsible vulnerability disclosure which is certainly something Qualys researchers would do.  That’s a solid security company!

CyberHoot recommends that all organizations using Unix and Linux distributions immediately implement your vendor-supplied patch or upgrade to sudo 1.9.5p2 – the latest version of the utility, released this week.

Share this on your social networks. Help Friends, Family, and Colleagues become more aware and secure.