Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Environment

Enterprise EDR (was CB ThreatHunter)

Question

Can Enterprise EDR detect exploit of CVE-2021-3156?

Answer

Yes, use the following search which can also be added as a watchlist:

cmdline:sudoedit (cmdline:"-s" OR cmdline:"-i")

Additional Notes

CVE-2021-3156 identifies an exploit in the sudo library provided by the underlying OS that allows privilege escalation to root via a heap-based buffer overflow. Any linux server running a version of sudo prior to 1.9.5p2 is vulnerable.

Article Information

Author:

Creation Date:

‎02-04-2021

Views:

592

Knowledge Base

Enterprise EDR: Can Enterprise EDR detect CVE-2021-3156 being exploited

Enterprise EDR: Can Enterprise EDR detect CVE-2021-3156 being exploited

Environment

Question

Answer

Additional Notes

Carbon Black Cloud

Endpoint Standard

Enterprise EDR

Knowledge Base

Enterprise EDR: Can Enterprise EDR detect CVE-2021-3156 being exploited

Enterprise EDR: Can Enterprise EDR detect CVE-2021-3156 being exploited

Environment

Question

Answer

Additional Notes

Carbon Black Cloud

Endpoint Standard

Enterprise EDR

Thank you for your feedback.

Thank you for your feedback.