Analytics Story: Baron Samedit CVE-2021-3156

Description

Uncover activity consistent with CVE-2021-3156. Discovered by the Qualys Research Team, this vulnerability has been found to affect sudo across multiple Linux distributions (Ubuntu 20.04 and prior, Debian 10 and prior, Fedora 33 and prior). As this vulnerability was committed to code in July 2011, there will be many distributions affected. Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.

Why it matters

A non-privledged user is able to execute the sudoedit command to trigger a buffer overflow. After the successful buffer overflow, they are then able to gain root privileges on the affected host. The conditions needed to be run are a trailing "" along with shell and edit flags. Monitoring the /var/log directory on Linux hosts using the Splunk Universal Forwarder will allow you to pick up this behavior when using the provided detection.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Detect Baron Samedit CVE-2021-3156 Exploitation for Privilege Escalation TTP
Detect Baron Samedit CVE-2021-3156 Segfault Exploitation for Privilege Escalation TTP
Detect Baron Samedit CVE-2021-3156 via OSQuery Exploitation for Privilege Escalation TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼

References


Source: GitHub | Version: 1