Skip to main content
Splunk Lantern

Active detection of vulnerable sudo versions

Your organization has unpatched Linux servers. You know those servers are vulnerable to a number of attacks, including the heap-based buffer overflow in sudo, called Baron Samedit. You want to be able to search for indications that this attack has hit your servers.

Data required 

*nix logs

Procedures

Option 1

  1. Install the Technical Add-on for Samedit on a Splunk Universal Forwarder. By default, it runs once per hour.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
index=<index where your *nix logs are>
sourcetype="script::samedit"

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
index=<index where your *nix logs are> Search only the index where your *nix logs are stored.
sourcetype="script::samedit" Search only the execution of sourcetype=”script::samedit”.

Next steps

The add-on runs various versioning commands as a scripted input, parses them to find your sudo version, and compares the version found on the system to a list of patched releases of sudo. The TA is also "Ubuntu-aware" as those systems report their version numbers differently. The key/value pair output of "samedit_status" and "finding" tells you if that particular Linux host is potentially vulnerable. This is a great way to map your patch status progress.

You might also be interested in other processes associated with the Detecting the Sudo Baron Samedit attack use case.

Option 2

  1. Install the Splunk Add-on for Unix and Linux.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
index=<index where your *nix logs are>
sourcetype="package"

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
index=<index where your *nix logs are> Search only the index where your *nix logs are stored.
sourcetype="script::samedit" Search only the packages installed on common Linux distros.

Next steps

Suppose you happen to have a vulnerability management capability (like Qualys), especially one that is doing credentialed scans of your server and workstation. You can use this search to find version numbers of sudo present and plan for mitigation. Or, if you have any attack surface management capabilities, you can determine what Unix resources are outside your firewall but on your network. RiskIQ, for example, can tell you what versions of Linux or Unix it finds, which will help you prioritize your patching once you cross-map those to versions shipped with vulnerable sudo versions. Whether you’re doing internal or external scanning, you can always ingest and report on the results in Splunk and perhaps take automated action upon these results as well.

You might also be interested in other processes associated with the Detecting the Sudo Baron Samedit attack use case.