From 49ed76004c101b5b668b5e2010db3800ea9687f5 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Tue, 15 Oct 2019 09:39:08 +0200
Subject: [PATCH] rule: sudo priv esc vuln CVE-2019-14287

---
 rules/linux/lnx_sudo_cve_2019_14287.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 rules/linux/lnx_sudo_cve_2019_14287.yml

diff --git a/rules/linux/lnx_sudo_cve_2019_14287.yml b/rules/linux/lnx_sudo_cve_2019_14287.yml
new file mode 100644
index 00000000..02c86a1d
--- /dev/null
+++ b/rules/linux/lnx_sudo_cve_2019_14287.yml
@@ -0,0 +1,18 @@
+title: Sudo Privilege Escalation CVE-2019-14287
+status: experimental
+description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
+references:
+    - https://access.redhat.com/security/cve/cve-2019-14287
+    - https://twitter.com/matthieugarin/status/1183970598210412546
+author: Florian Roth
+date: 2019/10/15
+logsource:
+    product: linux
+detection:
+    keywords:
+        - '* -u#-1*'
+        - '* -u#4294967295*'
+    condition: keywords
+falsepositives:
+    - Unlikely
+level: critical