From 0879523776c08f5dc37d798f476b2da1a63fbd8a Mon Sep 17 00:00:00 2001 From: darryk5 Date: Fri, 29 Jan 2021 11:50:01 +0000 Subject: [PATCH] update: add review suggestions for Rule Sudo Potential Privilege Escalation Signed-off-by: darryk5 Co-authored-by: Leonardo Di Donato Co-authored-by: Leonardo Grasso --- rules/falco_rules.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 78d84770..709b7836 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -3115,10 +3115,12 @@ priority: INFO tags: [container, process] -- rule: Sudo Potential Privilege Escalation (CVE-2021-3156) - desc: Privilege escalation vulnerability affected sudo. Executing sudo using sudoedit -s or sudoedit -t command from an unprivileged user it's possible to elevate the user privileges to root. +#This rule helps detect CVE-2021-3156: +#A privilege escalation to root through heap-based buffer overflow +- rule: Sudo Potential Privilege Escalation + desc: Privilege escalation vulnerability affecting sudo (<= 1.9.5p2). Executing sudo using sudoedit -s or sudoedit -i command with command-line argument that ends with a single backslash character from an unprivileged user it's possible to elevate the user privileges to root. condition: spawned_process and user.uid!= 0 and proc.name=sudoedit and (proc.args contains -s or proc.args contains -i) and (proc.args contains "\ " or proc.args endswith \) - output: "Detect Sudo Privilege Escalation Exploit (CVE-2021-3156) (user=%user.name parent=%proc.pname cmdline=%proc.cmdline %container.info)" + output: "Detect Sudo Privilege Escalation Exploit (CVE-2021-3156) (user=%user.name parent=%proc.pname cmdline=%proc.cmdline %container.info)" priority: CRITICAL tags: [filesystem, mitre_privilege_escalation] @@ -3126,5 +3128,3 @@ # there if you want to enable them by adding to # falco_rules.local.yaml. - -