[Security Alert] Upgrade the "sudo" package on your Nectar VMs.
On Tuesday 26th Jan 2021, a serious security flaw in the Linux sudo command was publicly disclosed. This allows any user with a shell account on a Linux machine to use the sudo command to run commands. This bypasses all of sudo's normal access checks. Qualsys has a blog article that explains the flaw and its impact in more detail; see "CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)"
The security patches for sudo were released yesterday for all major Linux distributions. They should be available through the normal channels.
What should you do?
You should make sure that your Nectar instance has the latest security patches applied in the normal way. :
- If your instances are configured to apply security patches automatically, the patch may well have been applied already. Check the log files for your package manager.
- Otherwise, use your package manager command (e.g. "apt", "yum" or "dnf" depending on the Linux distro) to upgrade the "sudo" package.
If you do not already know how to apply patches, please consult the OS documentation for the details. You will need to use sudo or a root shell to upgrade packages.
Note: it is advisable to apply any other outstanding security patches as well.
Note: if you are running an old version of Linux that is beyond "end of life" and is no longer getting security patches, the above will not help you. Instead, you need to upgrade your operating system to a supported release as soon as possible.
Does this affect you?
If you only use your Linux instance's admin account, and you have not configured sudo to request your password, then this vulnerability doesn't actually affect you. However, it is advisable to apply the patch anyway.
- It is advisable to apply (at least) all security patches to your instances on a regular schedule. The mainstream Linux distros provide ways to configure the package manager to apply (security) updates automatically.
- It is highly inadvisable to run a Linux system with an OS that is beyond its end of life. If this is necessary for pragmatic reasons, you need to pay particular attention to other ways to protect the system; e.g. by blocking access from potentially untrusted IP addresses, and removing access for users who are not both trustworthy AND security conscious.