Rules for sudo CVE-2021-3156

[fntlnz]

Motivation

Yesterday CVE-2021-3156 was disclosed against sudo . I believe that the Falco community should provide a rule against this threat.

Feature

Create a specific rule to catch usage of sudoedit from a non-root user.
I know that you usually use those from a non-root user but I also notice that their usage is usually very limited in a system and specifically since this vulnerability exists we should probably always alert when that is done.

The rule here could look something like this:

# Mitigation for CVE-2021-3156
- rule: Sudo Edit as non Root User
  desc: detect usage of the sudoedit -s or sudoedit -i command from a non root user
  condition: spawned_process and user.uid!=0 and proc.name=sudoedit and (proc.args contains "-s" or proc.args contains "-i")
  output: Process launched from non-root user is trying to use the sudo edit command (uid=%user.uid user=%user.name user_loginuid=%user.loginuid)
  priority: ERROR

Alternatives

Don't do anything.

Additional context

RedHat did something similar with stap by proposing that as a mitigation.

• https://access.redhat.com/security/cve/cve-2021-3156

[fntlnz]

Wdyt @Kaizhe ?

[leodido]

Great and timely idea, Lore!

Just one thought: would it make sense to restrict this rule by also checking the arguments? IMHO, it could.

I mean, to my understanding, the CVE exists in case a command-line argument to sudoedit (in MODE_SHELL or MODE_CHECK, but not MODE_RUN) ends with a single backslash.

sudoedit -s '\' `perl -e 'print "A" x 65536'` 

[Kaizhe]

@fntlnz thanks starting it. And sorry to replying late in the thread. We will make a PR.