The Sudo vulnerability may be 10 years old, but your detection and response should be cutting edge

Rex Guo
Principle Security Researcher

A heap overflow vulnerability in sudo was recently discovered (CVE-2021-3156, named: Baron Samedit). By exploiting this vulnerability, any unprivileged user can use the default sudo configuration to obtain root privileges (no password required) on the vulnerable host.

Interestingly, the sudo privilege escalation vulnerability remained undiscovered for nearly ten years. It was introduced in a submission in July 2011. If you are like many and have sudo installed on Linux or Unix machines in your environment, this vulnerability likely affects you.

While it requires an adversary to have access to the vulnerable machine to perform privilege escalation, detecting this exploit needs to focus equally on the pre-exploit and post-exploit kill chain (which will likely include activities across execution, privilege escalation, discovery, lateral movement, etc). As exemplified in the recent SolarWinds breach, a network can be compromised from unexpected threat vectors, and a defense-in-depth posture is critical in detecting and responding to the attack. Confluera XDR is purpose-built to detect, investigate and respond to such multi-stage attacks — in a holistic, automated and painless way.

The Baron Samedit Vulnerability and Attack

Let’s briefly review the vulnerability. The bug in sudo code permits the attacker to avoid the escape characters and overflow the heap-based buffer through a command-line argument with a single backslash character. This buffer overflow vulnerability allows the attacker to control the size and content of the buffer with the corresponding command line argument. Therefore a malicious user can execute custom code on the host with root privileges.

The researchers discovered that the bug can be triggered when some of the following conditions are met:

  1. Executing sudo in “shell” mode

2. Using the sudoedit command with the options below:

The vulnerability affects all the following sudo versions:

  • All legacy versions from 1.8.2 to 1.8.31p2
  • All stable versions from 1.9.0 to 1.9.5p1

You can test if the sudo binary is vulnerable using the following command:

Depending on the response, you can determine if sudo is vulnerable:

  • Vulnerable if responds an error starting with sudoedit:
  • Not Vulnerable or patched if responds an error starting with usage:

Another way to test is to trigger the segmentation fault directly using command below. If you did not see the segmentation fault, it is likely your sudo is not vulnerable.

Detecting and responding to CVE-2021-3156 exploitation

Whether your system is patched or not, visibility of the exploitation attempts and pre-/post-exploitation activities is fundamental. Let’s analyze how Confluera XDR’s workload detection and response solution can detect and prevent the attack in your environment.

Let’s look at an example breach and visualize this incident through the lens of the MITRE ATT&CK framework, the de-facto industry standard for the definition and classification of infrastructure wide cyberattacks.

Our victim environment has two linux machines (joebox and alicebox) with sudo CVE-2021-3156 vulnerability.

The attacker performed the following actions:

  1. Exploited a nodejs web server vulnerability to spawn a reverse shell to the C2 server. (“Execution” technique)
  2. Exploited the vulnerability to elevate to root and created a root shell (“Privilege Escalation” technique)
  3. Enumerated the environment and discovered an ssh hijacking opportunity (“Discovery” technique)
  4. Hijacked the ssh session and lateral moved to alicebox (“Lateral Movement” technique)
  5. Attempted to exploit the sudo vulnerability on the alicebox (“Privilege Escalation” technique)

Confluera detects any exploitation attempt of CVE-2021-3156 and captures the sequence of activities into a threat storyboard view. In addition, Confluera also provides response actions for the user to terminate the offending processes.

Image for post
Threat progression

Let’s review the threat progression step by step:

1. The attacker exploits the web server that leads to remote code execution and spawns a reverse shell to the C2 server (“Execution” technique).

Confluera detects this reverse shell activity and creates a new threat progression (storyboard) to track this potential attack pattern. The detection is based on the runtime process behaviors of the reverse shell instead of the traditional signature approach.

Image for post
Step 1

2. Exploited the CVE-2021-3156 vulnerability to elevate to root and created a root shell (“Privilege Escalation” technique). The attacker launched sudo with an argument that triggers the heap overflow and caused the sudo binary to load a malicious shared library. On library load, the sudo binary created a root privilege shell.

Confluera precisely detects a CVE-2021-3156 exploitation attempt and stitches the detection to the previously created threat progression (using a combination of user session and state tracking algorithms). We also detect the attacker successfully elevating privilege and creating a root shell from the setuid binary following the exploitation attempt. Additionally, once a threat progression is established, Confluera also provides additional forensics information to help investigate the incidents. One can see the user id 1001 executed sudo from the shell being reported as additional forensics information.

Image for post
step 2

3. Next, the attacker enumerates the environment and discovers an ssh hijacking opportunity (“Discovery” technique).

Confluera identifies the offending process and enumerates other processes’ environmental variables. Such low severity detections (or weak security signals) are tracked and surfaced to the analyst only when such detections are a part of an active threat progression.

Image for post
step 3

4. Hijacked the ssh session and lateral moved to alicebox (“Lateral Movement” technique)

Confluera not only detects the ssh hijacking attack, it is also able to stitch precisely the lateral movement activity and the target machine the attacker has moved to. This lateral movement tracking works across any number of hosts and is independent of the time difference between the hops.

Image for post
Step 4

5. Next, the attacker exploits the sudo vulnerability on alicebox (“Privilege Escalation” technique).

Confluera continues the threat progression story on the new machine and detects the attacker’s second attempt to exploit the sudo vulnerability CVE-2021-3156.

Image for post

Remediation

In this attack scenario, the remediation effort mainly involves identifying and dismantling the elevated processes that the attacker has set up during the progression. Confluera XDR generates automated recommendations for remediating the necessary hosts, files and processes involved in each progression.

In this scenario, killing the elevated reverse shell and ssh processes on joebox and the shell processes on alicebox are the recommended actions.

Image for post
Response actions

Conclusions

Malicious users with local access can elevate privileges by exploiting sudo (CVE-2021-3156) and gain arbitrary code execution with root. It is recommended that you patched the vulnerability as soon as you can.

The power of Confluera is the deep visibility at the infrastructure layer and autonomous detection and response capability. As a result, Confluera automatically sequence attacks in the kill chain to reduce investigation overhead.

Intercept Threats. Before Damage.

Ready to experience the benefit of Confluera?
Start your 30-day trial and see for yourself how the latest innovation in detection and response can fend off the most advanced modern cyber attacks.
Like to learn more about Confluera?
Schedule a 30-min demo with one of our cybersecurity experts to learn how Confluera can help you identify and intercept cyber threats before it becomes a breach.