forked from sar2901/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathbaron_samedit_cve_2021_3156.yml
28 lines (28 loc) · 1.39 KB
/
baron_samedit_cve_2021_3156.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
name: Baron Samedit CVE-2021-3156
id: 817b0dfc-23ba-4bcc-96cc-2cb77e428fbe
version: 1
date: '2021-01-27'
author: Shannon Davis, Splunk
description: Uncover activity consistent with CVE-2021-3156. Discovered by the Qualys
Research Team, this vulnerability has been found to affect sudo across multiple
Linux distributions (Ubuntu 20.04 and prior, Debian 10 and prior, Fedora 33 and
prior). As this vulnerability was committed to code in July 2011, there will be
many distributions affected. Successful exploitation of this vulnerability allows
any unprivileged user to gain root privileges on the vulnerable host.
narrative: A non-privledged user is able to execute the sudoedit command to trigger
a buffer overflow. After the successful buffer overflow, they are then able to gain
root privileges on the affected host. The conditions needed to be run are a trailing
"\" along with shell and edit flags. Monitoring the /var/log directory on Linux
hosts using the Splunk Universal Forwarder will allow you to pick up this behavior
when using the provided detection.
references:
- https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
tags:
analytic_story: Baron Samedit CVE-2021-3156
category:
- Adversary Tactics
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection