8000 feat: add detection rules for CVE-2025-32463 sudo chroot vulnerability by swachchhanda000 · Pull Request #5671 · SigmaHQ/sigma · GitHub
[go: up one dir, main page]
Skip to content

feat: add detection rules for CVE-2025-32463 sudo chroot vulnerability #5671

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

feat: add detection rules for CVE-2025-32463 sudo chroot vulnerability #5671

wants to merge 4 commits into from

Conversation

swachchhanda000
Copy link
Collaborator

Summary of the Pull Request

Changelog

new: Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation
new: Potential Sudo Chroot CVE-2025-32463 Vulnerability Exploitation

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

phantinuss
phantinuss approved these changes Oct 2, 2025 8000
View reviewed changes
Copy link
Collaborator
@phantinuss phantinuss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the sudo execution with -R/--chroot is a bit iffy but it also shouldn't be that common in general. I am fine to try it as level: medium

@phantinuss phantinuss added the 2nd Review Needed PR need a second approval label Oct 2, 2025
@phantinuss phantinuss requested a review from Copilot October 2, 2025 10:36
@phantinuss phantinuss added this to the Sigma-October-Release milestone Oct 2, 2025
Copilot
Copilot AI reviewed Oct 2, 2025
View reviewed changes
Copy link
@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds detection rules for CVE-2025-32463, a local privilege escalation vulnerability in sudo versions 1.9.14 to 1.9.17 that allows loading arbitrary shared libraries from user-controlled directories during chroot operations.

  • Adds process creation detection for sudo commands using --chroot or -R options
  • Adds file event detection for nsswitch.conf creation in non-standard directories
  • Provides detection coverage for two different attack vectors of the same CVE

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
proc_creation_lnx_exploit_cve_2025_32463.yml Detects sudo commands with chroot options that could indicate exploitation attempts
file_event_lnx_exploit_cve_2025_32463.yml Detects creation of nsswitch.conf files in non-standard locations

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@swachchhanda000
Copy link
Collaborator Author

the sudo execution with -R/--chroot is a bit iffy but it also shouldn't be that common in general. I am fine to try it as level: medium

maybe it could be a general rule --chroot execution with user-writeable paths like '/tmp' et.

@swachchhanda000 @Copilot @phantinuss
Apply suggestions from code review
cf12e01 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
@phantinuss
Copy link
Collaborator

the sudo execution with -R/--chroot is a bit iffy but it also shouldn't be that common in general. I am fine to try it as level: medium

maybe it could be a general rule --chroot execution with user-writeable paths like '/tmp' et.

only really necessary if that results in a rule of level: high or higher. I am not so sure about that or that it's worth it tbh.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@phantinuss phantinuss phantinuss approved these changes

Copilot code review Copilot Copilot left review comments

Assignees
No one assigned
Labels
2nd Review Needed PR need a second approval Emerging-Threats Rules
Projects
None yet
Milestone
Sigma-October-Release
Development

Successfully merging this pull request may close these issues.
2 participants
@swachchhanda000 @phantinuss
0