From 6b9fafb75f4a7f3641f64770deb3fb6bca73d85d Mon Sep 17 00:00:00 2001 From: Shay Berkovich Date: Wed, 13 Oct 2021 11:28:55 +0300 Subject: [PATCH] rule update(Sudo Potential Privilege Escalation): trigger the most common CVE-2021-3156 exploit Signed-off-by: Shay Berkovich Co-authored-by: Meera Balsara --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index e8a74fda..5c18d836 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -3039,7 +3039,7 @@ # A privilege escalation to root through heap-based buffer overflow - rule: Sudo Potential Privilege Escalation desc: Privilege escalation vulnerability affecting sudo (<= 1.9.5p2). Executing sudo using sudoedit -s or sudoedit -i command with command-line argument that ends with a single backslash character from an unprivileged user it's possible to elevate the user privileges to root. - condition: spawned_process and user.uid != 0 and proc.name=sudoedit and (proc.args contains -s or proc.args contains -i) and (proc.args contains "\ " or proc.args endswith \) + condition: spawned_process and user.uid != 0 and (proc.name=sudoedit or proc.name = sudo) and (proc.args contains -s or proc.args contains -i or proc.args contains --login) and (proc.args contains "\ " or proc.args endswith \) output: "Detect Sudo Privilege Escalation Exploit (CVE-2021-3156) (user=%user.name parent=%proc.pname cmdline=%proc.cmdline %container.info)" priority: CRITICAL tags: [filesystem, mitre_privilege_escalation]