From af9f206cce8cc04c9c2d56b48a4e97b36c148ec6 Mon Sep 17 00:00:00 2001 From: Richard Tweed Date: Thu, 5 Oct 2023 12:57:14 +0100 Subject: [PATCH] Add detection for attempt to use CVE-2023-4911 Signed-off-by: Richard Tweed --- rules/falco-incubating_rules.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/rules/falco-incubating_rules.yaml b/rules/falco-incubating_rules.yaml index 1a4804d3..2e43a029 100644 --- a/rules/falco-incubating_rules.yaml +++ b/rules/falco-incubating_rules.yaml @@ -1253,3 +1253,15 @@ output: Adding ssh keys to authorized_keys (file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags) priority: WARNING tags: [maturity_incubating, host, filesystem, mitre_persistence, T1098.004] + +# Detection for possible use of CVE-2023-4911 +# Based on https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt +- rule: Program possibly trying to use CVE-2023-4911 + desc: > + Detect use of GLIBC_TUNABLES environment variable, which could be used for priviledge escalation to root on hosts running vulnerable glibc versions. + condition: > + spawned_process + and proc.env icontains GLIBC_TUNABLES + output: Process run with GLIBC_TUNABLES environment variable which could be attempting priviledge escalation (env=%proc.env evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) + priority: NOTICE + tags: [maturity_incubating, host, users, mitre_privilege_escalation, CVE-2023-4911]