Skip to content

Commit 5f0003e

Browse files
AegrahAegrah
committed
[Rule Tuning] Potential CVE-2025-32463 Sudo Chroot Execution Attempt
1 parent 64a8290 commit 5f0003e

File tree

1 file changed

+3
-3
lines changed

1 file changed

+3
-3
lines changed

rules/linux/privilege_escalation_cve_2025_32463_sudo_chroot_execution.toml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
creation_date = "2025/10/01"
33
integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"]
44
maturity = "production"
5-
updated_date = "2025/10/01"
5+
updated_date = "2025/10/15"
66

77
[rule]
88
author = ["Elastic"]
@@ -38,7 +38,7 @@ This rule highlights sudo invoked with the chroot (-R/--chroot) option outside n
3838
- Extract the chroot target path from the event and enumerate its etc and lib directories for attacker-seeded NSS artifacts (nsswitch.conf, libnss_*, ld.so.preload) and fake passwd/group files, noting recent mtime, ownership, and world-writable files.
3939
- Pivot to file-creation and modification telemetry to identify processes and users that populated that path shortly before execution (e.g., curl, wget, tar, git, gcc), linking them to the invoking user to establish intent.
4040
- Review session and process details to see if a shell or interpreter was launched inside the chroot and whether an euid transition to 0 occurred, indicating a successful privilege escalation.
41-
- Confirm sudos package version and build options and the user’s sudoers policy (secure_path/env_* settings and any NOPASSWD allowances) to assess exploitability and whether chroot usage was authorized.
41+
- Confirm sudo's package version and build options and the user’s sudoers policy (secure_path/env_* settings and any NOPASSWD allowances) to assess exploitability and whether chroot usage was authorized.
4242
- Collect and preserve the chroot directory contents and relevant audit/log artifacts, and scope by searching for similar chroot invocations or NSS file seeds across the host and fleet.
4343
4444
### False positive analysis
@@ -105,7 +105,7 @@ type = "eql"
105105
query = '''
106106
process where host.os.type == "linux" and event.type == "start" and
107107
event.action in ("exec", "exec_event", "start", "executed", "process_started", "ProcessRollup2") and
108-
process.name == "sudo" and process.args in ("-R", "--chroot") and
108+
process.name == "sudo" and process.args like ("-R", "--chroot*") and
109109
// To enforce the -R and --chroot arguments to be for sudo specifically, while wildcarding potential full sudo paths
110110
process.command_line like ("*sudo -R*", "*sudo --chroot*")
111111
'''

0 commit comments

Comments
 (0)