From 869c9a7f4d0607fe17df94f8da2f061d8ab3e9a9 Mon Sep 17 00:00:00 2001 From: Lorenzo Susini Date: Fri, 5 Apr 2024 12:49:43 +0000 Subject: [PATCH] update(falco-incubating_tules.yaml): add Backdoored library loaded into SSHD rule Signed-off-by: Lorenzo Susini --- rules/falco-incubating_rules.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/rules/falco-incubating_rules.yaml b/rules/falco-incubating_rules.yaml index d2472ac0..a97dc6f9 100644 --- a/rules/falco-incubating_rules.yaml +++ b/rules/falco-incubating_rules.yaml @@ -1274,3 +1274,13 @@ output: Process run with suspect environment variable which could be attempting privilege escalation (env=%proc.env evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) priority: NOTICE tags: [maturity_incubating, host, container, users, mitre_privilege_escalation, TA0004] + +- rule: Backdoored library loaded into SSHD (CVE-2024-3094) + desc: This rule detects possible CVE-2024-3094 exploitation when the SSH daemon process loads a vulnerable version of the liblzma library. An attacker could exploit this to interfere with authentication in sshd via systemd, potentially compromising sensitive data or escalating their privileges. + condition: > + open_read and + proc.name=sshd and + (fd.name endswith "liblzma.so.5.6.0" or fd.name endswith "liblzma.so.5.6.1") + output: SSHD loaded a backdoored version of liblzma library %fd.name with parent %proc.pname and cmdline %proc.cmdline (process=%proc.name parent=%proc.pname file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid proc_exepath=%proc.exepath command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) + priority: WARNING + tags: [maturity_incubating, host, container]