Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update falco_rules.yaml (CVE-2021-3156) #1543

Merged
merged 2 commits into from
Feb 17, 2021
Merged

Update falco_rules.yaml (CVE-2021-3156) #1543

merged 2 commits into from
Feb 17, 2021

Conversation

darryk10
Copy link
Contributor

@darryk10 darryk10 commented Jan 28, 2021
edited by leogr
Loading

Added Rule Sudo Potential Privilege Escalation (CVE-2021-3156)
Open Issue #1540
Signed-off-by: darryk5 stefano.chierici@sysdig.com

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

If contributing rules or changes to rules, please make sure to also uncomment one of the following line:

/kind rule-update

/kind rule-create

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area build

/area engine

/area rules

/area tests

/area proposals

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #1540

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

rule(Sudo Potential Privilege Escalation): new rule created to detect CVE-2021-3156

@poiana poiana requested review from fntlnz and leodido January 28, 2021 20:08
@poiana
Copy link

poiana commented Jan 28, 2021

Welcome @darryk5! It looks like this is your first PR to falcosecurity/falco 🎉

@poiana poiana added the size/S label Jan 28, 2021
Kaizhe
Kaizhe suggested changes Jan 28, 2021
View reviewed changes
rules/falco_rules.yaml Outdated Show resolved Hide resolved
@Kaizhe
Copy link
Contributor

Kaizhe commented Jan 28, 2021

#1540

darryk10
darryk10 commented Jan 28, 2021
View reviewed changes
Copy link
Contributor Author

@darryk10 darryk10 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved %container.info at the end as suggested by @Kaizhe

@darryk10 darryk10 requested a review from Kaizhe January 28, 2021 20:26
@Kaizhe
Copy link
Contributor

Kaizhe commented Jan 28, 2021

@darryk5 please sign your commits and update release notes with the following fomrat:

rule(list user_known_change_thread_namespace_binaries): add crio and multus to the list

Kaizhe
Kaizhe reviewed Jan 28, 2021
View reviewed changes
Copy link
Contributor

@Kaizhe Kaizhe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, thanks! Please address my other comments in the thread

@darryk10 darryk10 requested a review from Kaizhe January 28, 2021 23:26
leodido
leodido suggested changes Jan 29, 2021
View reviewed changes
Copy link
Member

@leodido leodido left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs some refinements IMHO, but thanks for submitting it

CHANGELOG.md Outdated
@@ -43,6 +43,7 @@ Released on 2021-01-18

### Rule Changes

* rule(Sudo Potential Privilege Escalation (CVE-2021-3156)): new rule created to detect CVE-2021-3156[[#1543](https://github.com/falcosecurity/falco/pull/1543)] - [@darryk5](https://github.com/darryk5)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changelog must not be changed manually.

It gets automatically compiled from the release-notes block in the PR template.

rules/falco_rules.yaml Outdated
@@ -3114,7 +3114,17 @@
output: Container launched with root user privilege (uid=%user.uid container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
priority: INFO
tags: [container, process]

- rule: Sudo Potential Privilege Escalation (CVE-2021-3156)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- rule: Sudo Potential Privilege Escalation (CVE-2021-3156)
// This rule helps detect CVE-2021-3156:
// A privilege escalation to root through heap-based buffer overflow
- rule: Sudo Potential Privilege Escalation

Would you please accept my suggestion here?

rules/falco_rules.yaml Outdated
@@ -3114,7 +3114,17 @@
output: Container launched with root user privilege (uid=%user.uid container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
priority: INFO
tags: [container, process]

- rule: Sudo Potential Privilege Escalation (CVE-2021-3156)
desc: Privilege escalation vulnerability affected sudo. Executing sudo using sudoedit -s or sudoedit -t command from an unprivileged user it's possible to elevate the user privileges to root.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not totally correct.

To happen

Suggested change
desc: Privilege escalation vulnerability affected sudo. Executing sudo using sudoedit -s or sudoedit -t command from an unprivileged user it's possible to elevate the user privileges to root.
desc: Privilege escalation vulnerability affecting sudo (<= 1.9.5p2). Executing sudo using sudoedit -s or sudoedit -i command with command-line argument that ends with a single backslash character from an unprivileged user it's possible to elevate the user privileges to root.

Would you also accept my suggestion here

rules/falco_rules.yaml

- rule: Sudo Potential Privilege Escalation (CVE-2021-3156)
desc: Privilege escalation vulnerability affected sudo. Executing sudo using sudoedit -s or sudoedit -t command from an unprivileged user it's possible to elevate the user privileges to root.
condition: spawned_process and user.uid!= 0 and proc.name=sudoedit and (proc.args contains -s or proc.args contains -i) and (proc.args contains "\ " or proc.args endswith \)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the space in "\ " wanted here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since filter proc.args, it concatenate all the arguments together as a single string and separated by space character with "\ ", we cover the arguments ending with \ in the middle.

leogr
leogr requested changes Jan 29, 2021
View reviewed changes
Copy link
Member

@leogr leogr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall the rule is ok. However, I found some issues (see comments).

Moreover, since this rule derives from @fntlnz's work (posted in #1540), I believe the commit should include the right attribution (i.e. Co-Authored-By). Also, squashing the two comments into one would be better, IMHO.

Thanks.

CHANGELOG.md Outdated
@@ -43,6 +43,7 @@ Released on 2021-01-18

### Rule Changes

* rule(Sudo Potential Privilege Escalation (CVE-2021-3156)): new rule created to detect CVE-2021-3156[[#1543](https://github.com/falcosecurity/falco/pull/1543)] - [@darryk5](https://github.com/darryk5)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* rule(Sudo Potential Privilege Escalation (CVE-2021-3156)): new rule created to detect CVE-2021-3156[[#1543](https://github.com/falcosecurity/falco/pull/1543)] - [@darryk5](https://github.com/darryk5)

This patch will be not included in 0.27.0. Most important, do not modify the CHANGELOG.md manually, please.
The changelog will be updated in the release process as described here

rules/falco_rules.yaml Outdated
- rule: Sudo Potential Privilege Escalation (CVE-2021-3156)
desc: Privilege escalation vulnerability affected sudo. Executing sudo using sudoedit -s or sudoedit -t command from an unprivileged user it's possible to elevate the user privileges to root.
condition: spawned_process and user.uid!= 0 and proc.name=sudoedit and (proc.args contains -s or proc.args contains -i) and (proc.args contains "\ " or proc.args endswith \)
output: "Detect Sudo Privilege Escalation Exploit (CVE-2021-3156) (user=%user.name parent=%proc.pname cmdline=%proc.cmdline %container.info)"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
output: "Detect Sudo Privilege Escalation Exploit (CVE-2021-3156) (user=%user.name parent=%proc.pname cmdline=%proc.cmdline %container.info)"
output: "Detect Sudo Privilege Escalation Exploit (CVE-2021-3156) (user=%user.name parent=%proc.pname cmdline=%proc.cmdline %container.info)"

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unnecessary space here.

rules/falco_rules.yaml Outdated
Comment on lines 3128 to 3130



Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unnecessary newlines.

darryk10 and others added 2 commits January 29, 2021 11:44
@darryk10 @fntlnz
Added Rule Sudo Potential Privilege Escalation (CVE-2021-3156)
0117412 
See #1540

Signed-off-by: darryk5 <stefano.chierici@sysdig.com>
Co-authored-by: Lorenzo Fontana <lo@linux.com>
@darryk10 @leodido @leogr
update: add review suggestions for Rule Sudo Potential Privilege Esca…
0448502 
…lation

Signed-off-by: darryk5 <stefano.chierici@sysdig.com>
Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com>
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
@deepskyblue86
Copy link
Contributor

I agree with @leogr, would you please squash the commits into a single one?

@leogr
Copy link
Member

leogr commented Feb 17, 2021

/milestone 0.28.0

@poiana poiana added this to the 0.28.0 milestone Feb 17, 2021
@poiana poiana added the lgtm label Feb 17, 2021
@poiana
Copy link

poiana commented Feb 17, 2021

LGTM label has been added.

Git tree hash: 8b85842ff2e1ac9f68e864c059d9573a0628dbce

@leogr leogr changed the title Update falco_rules.yaml Update falco_rules.yaml (CVE-2021-3156) Feb 17, 2021
@leodido leodido requested review from Kaizhe and removed request for Kaizhe February 17, 2021 16:54
@leogr
Copy link
Member

leogr commented Feb 17, 2021

/cc @Kaizhe
PTAL

@poiana
Copy link

poiana commented Feb 17, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Kaizhe, leodido, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana poiana merged commit 0879523 into falcosecurity:master Feb 17, 2021
@darryk10 darryk10 deleted the patch-1 branch October 28, 2021 16:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leodido leodido leodido approved these changes

@Kaizhe Kaizhe Kaizhe approved these changes

@leogr leogr leogr approved these changes

@fntlnz fntlnz Awaiting requested review from fntlnz

Assignees

@leodido leodido

@Kaizhe Kaizhe

@leogr leogr

Labels
approved dco-signoff: yes lgtm release-note size/S
Projects
None yet
Milestone
0.28.0
Development

Successfully merging this pull request may close these issues.

Rules for sudo CVE-2021-3156
6 participants
@darryk10 @poiana @Kaizhe @deepskyblue86 @leogr @leodido