Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rules for sudo CVE-2021-3156 #1540

Closed
fntlnz opened this issue Jan 27, 2021 · 3 comments · Fixed by #1543
Closed

Rules for sudo CVE-2021-3156 #1540

fntlnz opened this issue Jan 27, 2021 · 3 comments · Fixed by #1543
Labels
kind/feature

Comments

@fntlnz
Copy link
Contributor

fntlnz commented Jan 27, 2021
edited
Loading

Motivation

Yesterday CVE-2021-3156 was disclosed against sudo . I believe that the Falco community should provide a rule against this threat.

Feature

Create a specific rule to catch usage of sudoedit from a non-root user.
I know that you usually use those from a non-root user but I also notice that their usage is usually very limited in a system and specifically since this vulnerability exists we should probably always alert when that is done.

The rule here could look something like this:

# Mitigation for CVE-2021-3156
- rule: Sudo Edit as non Root User
  desc: detect usage of the sudoedit -s or sudoedit -i command from a non root user
  condition: spawned_process and user.uid!=0 and proc.name=sudoedit and (proc.args contains "-s" or proc.args contains "-i")
  output: Process launched from non-root user is trying to use the sudo edit command (uid=%user.uid user=%user.name user_loginuid=%user.loginuid)
  priority: ERROR

Alternatives

Don't do anything.

Additional context

RedHat did something similar with stap by proposing that as a mitigation.
@fntlnz
Copy link
Contributor Author

fntlnz commented Jan 27, 2021

Wdyt @Kaizhe ?

@leodido
Copy link
Member

leodido commented Jan 27, 2021
edited
Loading

Great and timely idea, Lore!

Just one thought: would it make sense to restrict this rule by also checking the arguments? IMHO, it could.

I mean, to my understanding, the CVE exists in case a command-line argument to sudoedit (in MODE_SHELL or MODE_CHECK, but not MODE_RUN) ends with a single backslash.

sudoedit -s '\' `perl -e 'print "A" x 65536'`

@Kaizhe
Copy link
Contributor

Kaizhe commented Jan 28, 2021
edited
Loading

@fntlnz thanks starting it. And sorry to replying late in the thread. We will make a PR.

@darryk10 darryk10 mentioned this issue Jan 28, 2021
Merged
poiana pushed a commit that referenced this issue Feb 17, 2021
@darryk10 @fntlnz @poiana
Added Rule Sudo Potential Privilege Escalation (CVE-2021-3156)
81e880b 
See #1540

Signed-off-by: darryk5 <stefano.chierici@sysdig.com>
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update falco_rules.yaml (CVE-2021-3156)
3 participants
@leodido @Kaizhe @fntlnz