Analytics Story: Baron Samedit CVE-2021-3156

Date: 2021-01-27 ID: 817b0dfc-23ba-4bcc-96cc-2cb77e428fbe Author: Shannon Davis, Splunk Product: Splunk Enterprise Security

Description

Uncover activity consistent with CVE-2021-3156. Discovered by the Qualys Research Team, this vulnerability has been found to affect sudo across multiple Linux distributions (Ubuntu 20.04 and prior, Debian 10 and prior, Fedora 33 and prior). As this vulnerability was committed to code in July 2011, there will be many distributions affected. Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.

Why it matters

A non-privledged user is able to execute the sudoedit command to trigger a buffer overflow. After the successful buffer overflow, they are then able to gain root privileges on the affected host. The conditions needed to be run are a trailing "" along with shell and edit flags. Monitoring the /var/log directory on Linux hosts using the Splunk Universal Forwarder will allow you to pick up this behavior when using the provided detection.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Detect Baron Samedit CVE-2021-3156	Exploitation for Privilege Escalation	TTP
Detect Baron Samedit CVE-2021-3156 Segfault	Exploitation for Privilege Escalation	TTP
Detect Baron Samedit CVE-2021-3156 via OSQuery	Exploitation for Privilege Escalation	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼

References

https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit

Source: GitHub | Version: 1