Update falco_rules.yaml (CVE-2021-3156) #1543

darryk10 · 2021-01-28T20:08:07Z

Added Rule Sudo Potential Privilege Escalation (CVE-2021-3156)
Open Issue #1540
Signed-off-by: darryk5 stefano.chierici@sysdig.com

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

If contributing rules or changes to rules, please make sure to also uncomment one of the following line:

/kind rule-update

/kind rule-create

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area build

/area engine

/area rules

/area tests

/area proposals

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #1540

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

rule(Sudo Potential Privilege Escalation): new rule created to detect CVE-2021-3156

poiana · 2021-01-28T20:08:16Z

Welcome @darryk5! It looks like this is your first PR to falcosecurity/falco 🎉

rules/falco_rules.yaml

Kaizhe · 2021-01-28T20:19:28Z

#1540

darryk10

Moved %container.info at the end as suggested by @Kaizhe

Kaizhe · 2021-01-28T22:24:42Z

@darryk5 please sign your commits and update release notes with the following fomrat:

rule(list user_known_change_thread_namespace_binaries): add crio and multus to the list

Kaizhe

lgtm, thanks! Please address my other comments in the thread

leodido

Needs some refinements IMHO, but thanks for submitting it

leodido · 2021-01-29T09:18:54Z

CHANGELOG.md

@@ -43,6 +43,7 @@ Released on 2021-01-18

 ### Rule Changes

+* rule(Sudo Potential Privilege Escalation (CVE-2021-3156)): new rule created to detect CVE-2021-3156[[#1543](https://github.com/falcosecurity/falco/pull/1543)] - [@darryk5](https://github.com/darryk5)


Changelog must not be changed manually.

It gets automatically compiled from the release-notes block in the PR template.

leodido · 2021-01-29T09:21:51Z

rules/falco_rules.yaml

@@ -3114,7 +3114,17 @@
  output: Container launched with root user privilege (uid=%user.uid container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
  priority: INFO
  tags: [container, process]
+
+- rule: Sudo Potential Privilege Escalation (CVE-2021-3156)


Suggested change

- rule: Sudo Potential Privilege Escalation (CVE-2021-3156)

// This rule helps detect CVE-2021-3156:

// A privilege escalation to root through heap-based buffer overflow

- rule: Sudo Potential Privilege Escalation

Would you please accept my suggestion here?

leodido · 2021-01-29T09:23:53Z

rules/falco_rules.yaml

@@ -3114,7 +3114,17 @@
  output: Container launched with root user privilege (uid=%user.uid container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
  priority: INFO
  tags: [container, process]
+
+- rule: Sudo Potential Privilege Escalation (CVE-2021-3156)
+  desc: Privilege escalation vulnerability affected sudo. Executing sudo using sudoedit -s or sudoedit -t command from an unprivileged user it's possible to elevate the user privileges to root.


Not totally correct.

To happen

Suggested change

desc: Privilege escalation vulnerability affected sudo. Executing sudo using sudoedit -s or sudoedit -t command from an unprivileged user it's possible to elevate the user privileges to root.

desc: Privilege escalation vulnerability affecting sudo (<= 1.9.5p2). Executing sudo using sudoedit -s or sudoedit -i command with command-line argument that ends with a single backslash character from an unprivileged user it's possible to elevate the user privileges to root.

Would you also accept my suggestion here

leodido · 2021-01-29T09:24:16Z

rules/falco_rules.yaml

+
+- rule: Sudo Potential Privilege Escalation (CVE-2021-3156)
+  desc: Privilege escalation vulnerability affected sudo. Executing sudo using sudoedit -s or sudoedit -t command from an unprivileged user it's possible to elevate the user privileges to root.
+  condition: spawned_process and user.uid!= 0 and proc.name=sudoedit and (proc.args contains -s or proc.args contains -i) and (proc.args contains "\ " or proc.args endswith \)


Is the space in "\ " wanted here?

Since filter proc.args, it concatenate all the arguments together as a single string and separated by space character with "\ ", we cover the arguments ending with \ in the middle.

leogr

Overall the rule is ok. However, I found some issues (see comments).

Moreover, since this rule derives from @fntlnz's work (posted in #1540), I believe the commit should include the right attribution (i.e. Co-Authored-By). Also, squashing the two comments into one would be better, IMHO.

Thanks.

leogr · 2021-01-29T09:26:57Z

CHANGELOG.md

@@ -43,6 +43,7 @@ Released on 2021-01-18

 ### Rule Changes

+* rule(Sudo Potential Privilege Escalation (CVE-2021-3156)): new rule created to detect CVE-2021-3156[[#1543](https://github.com/falcosecurity/falco/pull/1543)] - [@darryk5](https://github.com/darryk5)


Suggested change

* rule(Sudo Potential Privilege Escalation (CVE-2021-3156)): new rule created to detect CVE-2021-3156[[#1543](https://github.com/falcosecurity/falco/pull/1543)] - [@darryk5](https://github.com/darryk5)

This patch will be not included in 0.27.0. Most important, do not modify the CHANGELOG.md manually, please.
The changelog will be updated in the release process as described here

leogr · 2021-01-29T09:28:24Z

rules/falco_rules.yaml

+- rule: Sudo Potential Privilege Escalation (CVE-2021-3156)
+  desc: Privilege escalation vulnerability affected sudo. Executing sudo using sudoedit -s or sudoedit -t command from an unprivileged user it's possible to elevate the user privileges to root.
+  condition: spawned_process and user.uid!= 0 and proc.name=sudoedit and (proc.args contains -s or proc.args contains -i) and (proc.args contains "\ " or proc.args endswith \)
+  output: "Detect Sudo Privilege Escalation Exploit (CVE-2021-3156)  (user=%user.name parent=%proc.pname cmdline=%proc.cmdline %container.info)"


Suggested change

output: "Detect Sudo Privilege Escalation Exploit (CVE-2021-3156) (user=%user.name parent=%proc.pname cmdline=%proc.cmdline %container.info)"

output: "Detect Sudo Privilege Escalation Exploit (CVE-2021-3156) (user=%user.name parent=%proc.pname cmdline=%proc.cmdline %container.info)"

Unnecessary space here.

leogr · 2021-01-29T09:30:31Z

rules/falco_rules.yaml

+
+
+


Suggested change

Unnecessary newlines.

See #1540 Signed-off-by: darryk5 <stefano.chierici@sysdig.com> Co-authored-by: Lorenzo Fontana <lo@linux.com>

…lation Signed-off-by: darryk5 <stefano.chierici@sysdig.com> Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com> Co-authored-by: Leonardo Grasso <me@leonardograsso.com>

deepskyblue86 · 2021-02-11T11:41:21Z

I agree with @leogr, would you please squash the commits into a single one?

leogr · 2021-02-17T07:34:01Z

/milestone 0.28.0

poiana · 2021-02-17T07:41:32Z

LGTM label has been added.

Git tree hash: 8b85842ff2e1ac9f68e864c059d9573a0628dbce

leogr · 2021-02-17T16:57:08Z

/cc @Kaizhe
PTAL

poiana · 2021-02-17T20:36:26Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Kaizhe, leodido, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~rules/OWNERS~~ [Kaizhe,leodido,leogr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

poiana added dco-signoff: no do-not-merge/release-note-label-needed labels Jan 28, 2021

poiana requested review from fntlnz and leodido January 28, 2021 20:08

poiana added the size/S label Jan 28, 2021

Kaizhe suggested changes Jan 28, 2021

View reviewed changes

rules/falco_rules.yaml Outdated Show resolved Hide resolved

poiana assigned Kaizhe Jan 28, 2021

darryk10 commented Jan 28, 2021

View reviewed changes

darryk10 requested a review from Kaizhe January 28, 2021 20:26

Kaizhe reviewed Jan 28, 2021

View reviewed changes

poiana added dco-signoff: yes and removed dco-signoff: no labels Jan 28, 2021

darryk10 requested a review from Kaizhe January 28, 2021 23:26

leodido suggested changes Jan 29, 2021

View reviewed changes

poiana assigned leodido Jan 29, 2021

leogr requested changes Jan 29, 2021

View reviewed changes

poiana assigned leogr Jan 29, 2021

poiana added release-note dco-signoff: no do-not-merge/contains-merge-commits dco-signoff: yes and removed do-not-merge/release-note-label-needed dco-signoff: yes do-not-merge/contains-merge-commits dco-signoff: no labels Jan 29, 2021

darryk10 and others added 2 commits January 29, 2021 11:44

Added Rule Sudo Potential Privilege Escalation (CVE-2021-3156)

0117412

See #1540 Signed-off-by: darryk5 <stefano.chierici@sysdig.com> Co-authored-by: Lorenzo Fontana <lo@linux.com>

update: add review suggestions for Rule Sudo Potential Privilege Esca…

0448502

…lation Signed-off-by: darryk5 <stefano.chierici@sysdig.com> Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com> Co-authored-by: Leonardo Grasso <me@leonardograsso.com>

darryk10 requested review from leogr and leodido January 29, 2021 12:59

poiana added this to the 0.28.0 milestone Feb 17, 2021

leogr approved these changes Feb 17, 2021

View reviewed changes

poiana added the lgtm label Feb 17, 2021

poiana added the approved label Feb 17, 2021

leogr changed the title ~~Update falco_rules.yaml~~ Update falco_rules.yaml (CVE-2021-3156) Feb 17, 2021

leodido approved these changes Feb 17, 2021

View reviewed changes

leodido requested review from Kaizhe and removed request for Kaizhe February 17, 2021 16:54

Kaizhe approved these changes Feb 17, 2021

View reviewed changes

poiana merged commit 0879523 into falcosecurity:master Feb 17, 2021

darryk10 deleted the patch-1 branch October 28, 2021 16:30

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update falco_rules.yaml (CVE-2021-3156) #1543

Update falco_rules.yaml (CVE-2021-3156) #1543

darryk10 commented Jan 28, 2021 •

edited by leogr

Loading

poiana commented Jan 28, 2021

Kaizhe commented Jan 28, 2021

darryk10 left a comment

Kaizhe commented Jan 28, 2021

Kaizhe left a comment

leodido left a comment

leodido Jan 29, 2021

leodido Jan 29, 2021

leodido Jan 29, 2021

leodido Jan 29, 2021

darryk10 Jan 29, 2021

leogr left a comment

leogr Jan 29, 2021

leogr Jan 29, 2021

leogr Jan 29, 2021

leogr Jan 29, 2021

leogr Jan 29, 2021

deepskyblue86 commented Feb 11, 2021

leogr commented Feb 17, 2021

poiana commented Feb 17, 2021

leogr commented Feb 17, 2021

poiana commented Feb 17, 2021

		@@ -43,6 +43,7 @@ Released on 2021-01-18

		### Rule Changes

		* rule(Sudo Potential Privilege Escalation (CVE-2021-3156)): new rule created to detect CVE-2021-3156[[#1543](https://github.com/falcosecurity/falco/pull/1543)] - [@darryk5](https://github.com/darryk5)

	desc: Privilege escalation vulnerability affected sudo. Executing sudo using sudoedit -s or sudoedit -t command from an unprivileged user it's possible to elevate the user privileges to root.
	desc: Privilege escalation vulnerability affecting sudo (<= 1.9.5p2). Executing sudo using sudoedit -s or sudoedit -i command with command-line argument that ends with a single backslash character from an unprivileged user it's possible to elevate the user privileges to root.

	output: "Detect Sudo Privilege Escalation Exploit (CVE-2021-3156) (user=%user.name parent=%proc.pname cmdline=%proc.cmdline %container.info)"
	output: "Detect Sudo Privilege Escalation Exploit (CVE-2021-3156) (user=%user.name parent=%proc.pname cmdline=%proc.cmdline %container.info)"

Update falco_rules.yaml (CVE-2021-3156) #1543

Update falco_rules.yaml (CVE-2021-3156) #1543

Conversation

darryk10 commented Jan 28, 2021 • edited by leogr Loading

poiana commented Jan 28, 2021

Kaizhe commented Jan 28, 2021

darryk10 left a comment

Choose a reason for hiding this comment

Kaizhe commented Jan 28, 2021

Kaizhe left a comment

Choose a reason for hiding this comment

leodido left a comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

leogr left a comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

deepskyblue86 commented Feb 11, 2021

leogr commented Feb 17, 2021

poiana commented Feb 17, 2021

leogr commented Feb 17, 2021

poiana commented Feb 17, 2021

darryk10 commented Jan 28, 2021 •

edited by leogr

Loading