Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Enterprise EDR: Can Enterprise EDR detect CVE-2021-3156 being exploited

Enterprise EDR: Can Enterprise EDR detect CVE-2021-3156 being exploited

Environment

  • Enterprise EDR (was CB ThreatHunter)

Question

Can Enterprise EDR detect exploit of CVE-2021-3156? 

Answer

Yes, use the following search which can also be added as a watchlist: 
 
cmdline:sudoedit (cmdline:"-s" OR cmdline:"-i")

Additional Notes

CVE-2021-3156 identifies an exploit in the sudo library provided by the underlying OS that allows privilege escalation to root via a heap-based buffer overflow.  Any linux server running a version of sudo prior to 1.9.5p2 is vulnerable.

Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎02-04-2021
Views:
430
Contributors