Rules for sudo CVE-2021-3156
fntlnz opened this issue · 3 comments
Motivation
Yesterday CVE-2021-3156 was disclosed against sudo
. I believe that the Falco community should provide a rule against this threat.
Feature
Create a specific rule to catch usage of sudoedit
from a non-root user.
I know that you usually use those from a non-root user but I also notice that their usage is usually very limited in a system and specifically since this vulnerability exists we should probably always alert when that is done.
The rule here could look something like this:
# Mitigation for CVE-2021-3156
- rule: Sudo Edit as non Root User
desc: detect usage of the sudoedit -s or sudoedit -i command from a non root user
condition: spawned_process and user.uid!=0 and proc.name=sudoedit and (proc.args contains "-s" or proc.args contains "-i")
output: Process launched from non-root user is trying to use the sudo edit command (uid=%user.uid user=%user.name user_loginuid=%user.loginuid)
priority: ERROR
Alternatives
Don't do anything.
Additional context
RedHat did something similar with stap by proposing that as a mitigation.
Great and timely idea, Lore!
Just one thought: would it make sense to restrict this rule by also checking the arguments? IMHO, it could.
I mean, to my understanding, the CVE exists in case a command-line argument to sudoedit
(in MODE_SHELL or MODE_CHECK, but not MODE_RUN) ends with a single backslash.
sudoedit -s '\' `perl -e 'print "A" x 65536'`