EDR: Can EDR detect CVE-2021-3156 being exploited

EDR: Can EDR detect CVE-2021-3156 being exploited

Environment

  • EDR:  All Supported Versions

Question

Can EDR detect exploit of CVE-2021-3156? 

Answer

Yes, use the following search which can also be added as a watchlist:
cmdline:sudoedit (cmdline:"-s" OR cmdline:"-i")

 

Additional Notes

CVE-2021-3156 identifies an exploit in the sudo library provided by the underlying OS that allows privilege escalation to root via a heap-based buffer overflow.  Any linux server running a version of sudo prior to 1.9.5p2 is vulnerable.

Labels (1)
Tags (2)
Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎01-28-2021
Views:
455
Contributors