Sudo Heap-Based Buffer Overflow Attemptedit

Identifies the attempted use of a heap-based buffer overflow vulnerability for the Sudo binary in Unix-like systems (CVE-2021-3156). Successful exploitation allows an unprivileged user to escalate to the root user.

Rule type: threshold

Rule indices:

  • auditbeat-*
  • logs-endpoint.events.*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Linux
  • macOS
  • Threat Detection
  • Privilege Escalation

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positivesedit

This rule could generate false positives if the process arguments leveraged by the exploit are shared by custom scripts using the Sudo or Sudoedit binaries. Only Sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1 are affected; if those versions are not present on the endpoint, this could be a false positive.

Rule queryedit

event.category:process and event.type:start and process.name:(sudo
or sudoedit) and process.args:(*\\ and ("-i" or "-s"))

Threat mappingedit

Framework: MITRE ATT&CKTM