Sudo Heap-Based Buffer Overflow Attempt
Identifies the attempted use of a heap-based buffer overflow vulnerability for the Sudo binary in Unix-like systems (CVE-2021-3156). Successful exploitation allows an unprivileged user to escalate to the root user.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/02/03"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/01/05"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the attempted use of a heap-based buffer overflow vulnerability for the Sudo binary in Unix-like systems
13(CVE-2021-3156). Successful exploitation allows an unprivileged user to escalate to the root user.
14"""
15false_positives = [
16 """
17 This rule could generate false positives if the process arguments leveraged by the exploit are shared by custom
18 scripts using the Sudo or Sudoedit binaries. Only Sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1 are
19 affected; if those versions are not present on the endpoint, this could be a false positive.
20 """,
21]
22from = "now-9m"
23index = ["auditbeat-*", "logs-endpoint.events.*"]
24language = "kuery"
25license = "Elastic License v2"
26name = "Sudo Heap-Based Buffer Overflow Attempt"
27references = [
28 "https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156",
29 "https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit",
30 "https://www.bleepingcomputer.com/news/security/latest-macos-big-sur-also-has-sudo-root-privilege-escalation-flaw",
31 "https://www.sudo.ws/alerts/unescape_overflow.html",
32]
33risk_score = 73
34rule_id = "f37f3054-d40b-49ac-aa9b-a786c74c58b8"
35severity = "high"
36tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"]
37type = "threshold"
38timestamp_override = "event.ingested"
39
40query = '''
41event.category:process and event.type:start and
42 process.name:(sudo or sudoedit) and
43 process.args:(*\\ and ("-i" or "-s"))
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1068"
51name = "Exploitation for Privilege Escalation"
52reference = "https://attack.mitre.org/techniques/T1068/"
53
54
55[rule.threat.tactic]
56id = "TA0004"
57name = "Privilege Escalation"
58reference = "https://attack.mitre.org/tactics/TA0004/"
59
60[rule.threshold]
61field = ["host.hostname"]
62value = 100
References
-
The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
Read More -
Update Feb 3, 2021: It has been reported that macOS, AIX, and Solaris are also vulnerable to CVE-2021-3156, and that others may also still be vulnerable. Qualys has not independently verified the…
Read More -
Recently discovered Linux SUDO privilege escalation vulnerability, CVE-2021-3156 (aka Baron Samedit) also impacts the latest Apple macOS Big Sur with no patch available yet.
Read More -
A serious heap-based buffer overflow has been discovered in sudo that is exploitable by any local user. It has been given the name Baron Samedit by its discoverer. The bug can be leveraged to elevate privileges to root, even if the user is not listed in the sudoers file. User authentication is not required to exploit the bug. Sudo versions affected: Sudo versions 1.7.7 through 1.7.10p9, 1.8.2 through 1.8.31p2, and 1.
Read More
Related rules
- Sudoers File Modification
- Potential JAVA/JNDI Exploitation Attempt
- Potential Privilege Escalation via Sudoers File Modification
- Setuid / Setgid Bit Set via chmod
- Bash Shell Profile Modification