Enterprise EDR: Can Enterprise EDR detect CVE-2021-3156 being exploited

search cancel

Enterprise EDR: Can Enterprise EDR detect CVE-2021-3156 being exploited

book

Article ID: 290540

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Can Enterprise EDR detect exploit of CVE-2021-3156?

Environment

Enterprise EDR (was CB ThreatHunter)

Resolution

Yes, use the following search which can also be added as a watchlist:

cmdline:sudoedit (cmdline:"-s" OR cmdline:"-i")

Additional Information

CVE-2021-3156 identifies an exploit in the sudo library provided by the underlying OS that allows privilege escalation to root via a heap-based buffer overflow. Any linux server running a version of sudo prior to 1.9.5p2 is vulnerable.

Feedback

thumb_up Yes

thumb_down No