EDR: Can EDR detect CVE-2021-3156 being exploited
search cancel

EDR: Can EDR detect CVE-2021-3156 being exploited

book

Article ID: 287713

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Can EDR detect exploit of CVE-2021-3156? 

Environment

  • EDR:  All Supported Versions

Resolution

Yes, use the following search which can also be added as a watchlist: 
cmdline:sudoedit (cmdline:"-s" OR cmdline:"-i")

 

Additional Information

CVE-2021-3156 identifies an exploit in the sudo library provided by the underlying OS that allows privilege escalation to root via a heap-based buffer overflow.  Any linux server running a version of sudo prior to 1.9.5p2 is vulnerable.
Powered by Wolken Software