Sudo bug doesn't affect Platform.sh users

27 Jan 2021

Yesterday security firm Qualys announced a vulnerability known as CVE-2021-3156, or by the slightly catchier nickname “Baron Samedit.” The exploit can allow escalation of privileges on Linux and Unix systems (basically most of The Internet), which would give an unauthorized user access to the sudo command. The sudo command allows a user to assume permissions of another user, most commonly the root user on the system, who has near complete control over data and software running on the computer. That’s bad.

TL;DR: Platform.sh customers are protected from the CVE-2021-3156 ‘Baron Samedit’ exploit

Platform.sh is built on the core principle of separation of concerns and on the idea that once built, software shouldn’t be able to make edits to itself. This seems pretty logical, but it’s not usually the way software for the Web is built. Our Chief Product Officer, Ori Pekelman, explained this critical difference between the way Platform.sh and the way traditional web sites and apps build in containers.

Platform.sh doesn’t even include the sudo or sudoedit processes in containers we deploy. No, really, look:

So in the case of ‘Baron Samedit’, if the command isn’t available, it can’t be exploited by an attacker.

Separation of concerns at Platform.sh

The key concerns we’re separating in this case are the building of software and the running of that software. Platform.sh isn’t like traditional web hosting platforms in many ways. In particular, when your applications are on Platform.sh, the processes that compile or prepare software (for example, to bundle in dependencies) are entirely disconnected from the processes that run your applications. Since you don’t need sudo to run your application, we don’t even install it in the runtime containers.

If your software does need to write to the filesystem, that can happen during the build phase before it’s available to the Internet and where it’s built repeatably and consistently from Git. But never during the run phase.

Don’t allow your software to write to itself

Some of the most common vulnerabilities in web software come from allowing users to upload code to an application or allowing applications to modify files that the computer can execute.

That’s why Platform.sh deploys the containers that actually run your software with read-only filesystems. So even if an attacker managed to upload code to your app, the app itself could not be changed.

So in the case of “Baron Samedit,” you’re doubly protected. Even if we did have the sudo command installed, an attacker would also need to write to the /etc/passwd file, which, of course, is not writable at all on Platform.sh.

Further reading, and how to ask questions

If you want to go deeper into how Platform.sh works to protect your website or application security by design, check out these posts from our team:

And of course we’re always available to answer customer’s questions via our Customer Care team, or our public Slack channel.