A heap overflow vulnerability in sudo was recently discovered (CVE-2021-3156, named: Baron Samedit). By exploiting this vulnerability, any unprivileged user can use the default sudo configuration to obtain root privileges (no password required) on the vulnerable host.
Interestingly, the sudo privilege escalation vulnerability remained undiscovered for nearly ten years. It was introduced in a submission in July 2011. If you are like many and have sudo installed on Linux or Unix machines in your environment, this vulnerability likely affects you.
While it requires an adversary to have access to the vulnerable machine to perform privilege escalation, detecting this exploit needs to focus equally on the pre-exploit and post-exploit kill chain (which will likely include activities across execution, privilege escalation, discovery, lateral movement, etc). As exemplified in the recent SolarWinds breach, a network can be compromised from unexpected threat vectors, and a defense-in-depth posture is critical in detecting and responding to the attack. Confluera XDR is purpose-built to detect, investigate and respond to such multi-stage attacks — in a holistic, automated and painless way.
Let’s briefly review the vulnerability. The bug in sudo code permits the attacker to avoid the escape characters and overflow the heap-based buffer through a command-line argument with a single backslash character. This buffer overflow vulnerability allows the attacker to control the size and content of the buffer with the corresponding command line argument. Therefore a malicious user can execute custom code on the host with root privileges.
The researchers discovered that the bug can be triggered when some of the following conditions are met:
2. Using the sudoedit command with the options below:
The vulnerability affects all the following sudo versions:
You can test if the sudo binary is vulnerable using the following command:
Depending on the response, you can determine if sudo is vulnerable:
Another way to test is to trigger the segmentation fault directly using command below. If you did not see the segmentation fault, it is likely your sudo is not vulnerable.
Whether your system is patched or not, visibility of the exploitation attempts and pre-/post-exploitation activities is fundamental. Let’s analyze how Confluera XDR’s workload detection and response solution can detect and prevent the attack in your environment.
Let’s look at an example breach and visualize this incident through the lens of the MITRE ATT&CK framework, the de-facto industry standard for the definition and classification of infrastructure wide cyberattacks.
Our victim environment has two linux machines (joebox and alicebox) with sudo CVE-2021-3156 vulnerability.
The attacker performed the following actions:
Confluera detects any exploitation attempt of CVE-2021-3156 and captures the sequence of activities into a threat storyboard view. In addition, Confluera also provides response actions for the user to terminate the offending processes.
Let’s review the threat progression step by step:
1. The attacker exploits the web server that leads to remote code execution and spawns a reverse shell to the C2 server (“Execution” technique).
Confluera detects this reverse shell activity and creates a new threat progression (storyboard) to track this potential attack pattern. The detection is based on the runtime process behaviors of the reverse shell instead of the traditional signature approach.
2. Exploited the CVE-2021-3156 vulnerability to elevate to root and created a root shell (“Privilege Escalation” technique). The attacker launched sudo with an argument that triggers the heap overflow and caused the sudo binary to load a malicious shared library. On library load, the sudo binary created a root privilege shell.
Confluera precisely detects a CVE-2021-3156 exploitation attempt and stitches the detection to the previously created threat progression (using a combination of user session and state tracking algorithms). We also detect the attacker successfully elevating privilege and creating a root shell from the setuid binary following the exploitation attempt. Additionally, once a threat progression is established, Confluera also provides additional forensics information to help investigate the incidents. One can see the user id 1001 executed sudo from the shell being reported as additional forensics information.
3. Next, the attacker enumerates the environment and discovers an ssh hijacking opportunity (“Discovery” technique).
Confluera identifies the offending process and enumerates other processes’ environmental variables. Such low severity detections (or weak security signals) are tracked and surfaced to the analyst only when such detections are a part of an active threat progression.
4. Hijacked the ssh session and lateral moved to alicebox (“Lateral Movement” technique)
Confluera not only detects the ssh hijacking attack, it is also able to stitch precisely the lateral movement activity and the target machine the attacker has moved to. This lateral movement tracking works across any number of hosts and is independent of the time difference between the hops.
5. Next, the attacker exploits the sudo vulnerability on alicebox (“Privilege Escalation” technique).
Confluera continues the threat progression story on the new machine and detects the attacker’s second attempt to exploit the sudo vulnerability CVE-2021-3156.
In this attack scenario, the remediation effort mainly involves identifying and dismantling the elevated processes that the attacker has set up during the progression. Confluera XDR generates automated recommendations for remediating the necessary hosts, files and processes involved in each progression.
In this scenario, killing the elevated reverse shell and ssh processes on joebox and the shell processes on alicebox are the recommended actions.
Malicious users with local access can elevate privileges by exploiting sudo (CVE-2021-3156) and gain arbitrary code execution with root. It is recommended that you patched the vulnerability as soon as you can.
The power of Confluera is the deep visibility at the infrastructure layer and autonomous detection and response capability. As a result, Confluera automatically sequence attacks in the kill chain to reduce investigation overhead.