From 43b3275ef84b3be37a2aa9b3c16ed5cf47f61782 Mon Sep 17 00:00:00 2001 From: blotus Date: Tue, 21 Jan 2025 16:48:37 +0100 Subject: [PATCH] Add vpatch rule for CVE-2024-9465 and CVE-2024-51378 (#1227) --- .../vpatch-CVE-2024-51378/config.yaml | 4 + .../vpatch-CVE-2024-51378.yaml | 30 ++++++++ .../vpatch-CVE-2024-9465/config.yaml | 5 ++ .../test-CVE-2024-9465.yaml | 24 ++++++ .index.json | 74 ++++++++++++++++++- .../crowdsecurity/vpatch-CVE-2024-51378.yaml | 35 +++++++++ .../crowdsecurity/vpatch-CVE-2024-9465.yaml | 39 ++++++++++ .../appsec-virtual-patching.yaml | 2 + taxonomy/scenarios.json | 44 +++++++++++ 9 files changed, 254 insertions(+), 3 deletions(-) create mode 100644 .appsec-tests/vpatch-CVE-2024-51378/config.yaml create mode 100755 .appsec-tests/vpatch-CVE-2024-51378/vpatch-CVE-2024-51378.yaml create mode 100644 .appsec-tests/vpatch-CVE-2024-9465/config.yaml create mode 100644 .appsec-tests/vpatch-CVE-2024-9465/test-CVE-2024-9465.yaml create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2024-51378.yaml create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2024-9465.yaml diff --git a/.appsec-tests/vpatch-CVE-2024-51378/config.yaml b/.appsec-tests/vpatch-CVE-2024-51378/config.yaml new file mode 100644 index 00000000000..c38f1d168d8 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2024-51378/config.yaml @@ -0,0 +1,4 @@ +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2024-51378.yaml +nuclei_template: vpatch-CVE-2024-51378.yaml diff --git a/.appsec-tests/vpatch-CVE-2024-51378/vpatch-CVE-2024-51378.yaml b/.appsec-tests/vpatch-CVE-2024-51378/vpatch-CVE-2024-51378.yaml new file mode 100755 index 00000000000..7e404d491ca --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2024-51378/vpatch-CVE-2024-51378.yaml @@ -0,0 +1,30 @@ +id: vpatch-CVE-2024-51378 +info: + name: vpatch-CVE-2024-51378 + author: crowdsec + severity: info + description: vpatch-CVE-2024-51378 testing + tags: appsec-testing +http: +#this is a dummy request, edit the request(s) to match your needs + - raw: + - | + POST /dns/getresetstatus HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"statusfile": "; id > /tmp/id;#"} + - | + POST /ftp/getresetstatus HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"statusfile": "; id > /tmp/id;#"} + cookie-reuse: true +#test will fail because we won't match http status + matchers: + - type: dsl + condition: and + dsl: + - 'status_code_1 == 403' + - 'status_code_2 == 403' diff --git a/.appsec-tests/vpatch-CVE-2024-9465/config.yaml b/.appsec-tests/vpatch-CVE-2024-9465/config.yaml new file mode 100644 index 00000000000..67977c41209 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2024-9465/config.yaml @@ -0,0 +1,5 @@ + +appsec-rules: +- ./appsec-rules/crowdsecurity/base-config.yaml +- ./appsec-rules/crowdsecurity/vpatch-CVE-2024-9465.yaml +nuclei_template: test-CVE-2024-9465.yaml diff --git a/.appsec-tests/vpatch-CVE-2024-9465/test-CVE-2024-9465.yaml b/.appsec-tests/vpatch-CVE-2024-9465/test-CVE-2024-9465.yaml new file mode 100644 index 00000000000..b35a43bb0f6 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2024-9465/test-CVE-2024-9465.yaml @@ -0,0 +1,24 @@ + +id: test-CVE-2024-9465 +info: + name: test-CVE-2024-9465 + author: crowdsec + severity: info + description: test-CVE-2024-9465 testing + tags: appsec-testing +http: + - raw: + - | + POST /bin/configurations/parsers/Checkpoint/CHECKPOINT.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + action=import&type=test&project=pandbRBAC&signatureid=1%20AND%20(SELECT%201234%20FROM%20(SELECT(SLEEP(6)))test) + + cookie-reuse: true + matchers: + - type: dsl + condition: and + dsl: + - "status_code_1 == 403" + diff --git a/.index.json b/.index.json index 93f9f23564d..bf6d258bc27 100644 --- a/.index.json +++ b/.index.json @@ -2562,6 +2562,33 @@ "type": "exploit" } }, + "crowdsecurity/vpatch-CVE-2024-51378": { + "path": "appsec-rules/crowdsecurity/vpatch-CVE-2024-51378.yaml", + "version": "0.1", + "versions": { + "0.1": { + "digest": "653a11bcbffccf620fa6d9875de7693f012fb9236f1c1c81cb85c26e3a34e7f2", + "deprecated": false + } + }, + "content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtNTEzNzgKZGVzY3JpcHRpb246ICJDeWJlcnBhbmVsIC0gUkNFIChDVkUtMjAyNC01MTM3OCkiCnJ1bGVzOgogIC0gYW5kOgogICAgLSB6b25lczoKICAgICAgLSBNRVRIT0QKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogZXF1YWxzCiAgICAgICAgdmFsdWU6IFBPU1QKICAgIC0gem9uZXM6CiAgICAgIC0gVVJJCiAgICAgIHRyYW5zZm9ybToKICAgICAgLSBsb3dlcmNhc2UKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogcmVnZXgKICAgICAgICB2YWx1ZTogLyhkbnN8ZnRwKS9nZXRyZXNldHN0YXR1cwogICAgLSB6b25lczoKICAgICAgLSBCT0RZX0FSR1MKICAgICAgdmFyaWFibGVzOgogICAgICAgLSBqc29uLnN0YXR1c2ZpbGUKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogcmVnZXgKICAgICAgICB2YWx1ZTogIlteYS16QS1aMC05L10iCmxhYmVsczoKICB0eXBlOiBleHBsb2l0CiAgc2VydmljZTogaHR0cAogIGNvbmZpZGVuY2U6IDMKICBzcG9vZmFibGU6IDAKICBiZWhhdmlvcjogImh0dHA6ZXhwbG9pdCIKICBsYWJlbDogIkN5YmVycGFuZWwgLSBSQ0UiCiAgY2xhc3NpZmljYXRpb246CiAgIC0gY3ZlLkNWRS0yMDI0LTUxMzc4CiAgIC0gYXR0YWNrLlQxNTk1CiAgIC0gYXR0YWNrLlQxMTkwCiAgIC0gY3dlLkNXRS03OA==", + "description": "Cyberpanel - RCE (CVE-2024-51378)", + "author": "crowdsecurity", + "labels": { + "behavior": "http:exploit", + "classification": [ + "cve.CVE-2024-51378", + "attack.T1595", + "attack.T1190", + "cwe.CWE-78" + ], + "confidence": 3, + "label": "Cyberpanel - RCE", + "service": "http", + "spoofable": 0, + "type": "exploit" + } + }, "crowdsecurity/vpatch-CVE-2024-51567": { "path": "appsec-rules/crowdsecurity/vpatch-CVE-2024-51567.yaml", "version": "0.1", @@ -2702,6 +2729,37 @@ "type": "exploit" } }, + "crowdsecurity/vpatch-CVE-2024-9465": { + "path": "appsec-rules/crowdsecurity/vpatch-CVE-2024-9465.yaml", + "version": "0.2", + "versions": { + "0.1": { + "digest": "dd03339bbb9914dac0ed54ffb47db7688319e7fd5adc0350fafb15c694578d85", + "deprecated": false + }, + "0.2": { + "digest": "5a59243623d4743896c46163c63e3ad306e1b168624e663098e1ac473f35e80a", + "deprecated": false + } + }, + "content": "Cm5hbWU6IGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTk0NjUKZGVzY3JpcHRpb246ICJQYWxvIEFsdG8gRXhwZWRpdGlvbiAtIFNRTCBJbmplY3Rpb24gKENWRS0yMDI0LTk0NjUpIgpydWxlczoKICAtIGFuZDoKICAgIC0gem9uZXM6CiAgICAgIC0gTUVUSE9ECiAgICAgIG1hdGNoOgogICAgICAgIHR5cGU6IGVxdWFscwogICAgICAgIHZhbHVlOiBQT1NUCiAgICAtIHpvbmVzOgogICAgICAtIFVSSQogICAgICB0cmFuc2Zvcm06CiAgICAgIC0gbG93ZXJjYXNlCiAgICAgIC0gdXJsZGVjb2RlCiAgICAgIG1hdGNoOgogICAgICAgIHR5cGU6IGNvbnRhaW5zCiAgICAgICAgdmFsdWU6ICIvYmluL2NvbmZpZ3VyYXRpb25zL3BhcnNlcnMvY2hlY2twb2ludC9jaGVja3BvaW50LnBocCIKICAgIC0gem9uZXM6CiAgICAgIC0gQk9EWV9BUkdTCiAgICAgIHZhcmlhYmxlczoKICAgICAgLSBzaWduYXR1cmVpZAogICAgICB0cmFuc2Zvcm06CiAgICAgIC0gdXJsZGVjb2RlCiAgICAgIG1hdGNoOgogICAgICAgIHR5cGU6IHJlZ2V4CiAgICAgICAgdmFsdWU6ICJbXmEtekEtWjAtOV0iCmxhYmVsczoKICB0eXBlOiBleHBsb2l0CiAgc2VydmljZTogaHR0cAogIGNvbmZpZGVuY2U6IDMKICBzcG9vZmFibGU6IDAKICBiZWhhdmlvcjogImh0dHA6ZXhwbG9pdCIKICBsYWJlbDogIlBhbG8gQWx0byBFeHBlZGl0aW9uIC0gU1FMIEluamVjdGlvbiIKICBjbGFzc2lmaWNhdGlvbjoKICAgLSBjdmUuQ1ZFLTIwMjQtOTQ2NQogICAtIGF0dGFjay5UMTU5NQogICAtIGF0dGFjay5UMTE5MAogICAtIGN3ZS5DV0UtODk=", + "description": "Palo Alto Expedition - SQL Injection (CVE-2024-9465)", + "author": "crowdsecurity", + "labels": { + "behavior": "http:exploit", + "classification": [ + "cve.CVE-2024-9465", + "attack.T1595", + "attack.T1190", + "cwe.CWE-89" + ], + "confidence": 3, + "label": "Palo Alto Expedition - SQL Injection", + "service": "http", + "spoofable": 0, + "type": "exploit" + } + }, "crowdsecurity/vpatch-CVE-2024-9474": { "path": "appsec-rules/crowdsecurity/vpatch-CVE-2024-9474.yaml", "version": "0.3", @@ -3615,7 +3673,7 @@ }, "crowdsecurity/appsec-virtual-patching": { "path": "collections/crowdsecurity/appsec-virtual-patching.yaml", - "version": "4.9", + "version": "5.1", "versions": { "0.1": { "digest": "a165d638c8d826a932e4ca4e70ec5379d558a0bee1356e871c7c92cc2df714fc", @@ -3812,10 +3870,18 @@ "4.9": { "digest": "138de42ce4e21da2d61b57592a50b511fbca5acde7acac6f4fafc803446c05ee", "deprecated": false + }, + "5.0": { + "digest": "5d58d44c4848c757e5ffa31fa37ab33a562c146101d621a2a6a16dd90c5f40d1", + "deprecated": false + }, + "5.1": { + "digest": "e479092a82f74d97aaaa20aae28a69e4543fc7f0edeb8ded09cafd1c4a9875b5", + "deprecated": false } }, "long_description": "IyBBcHBTZWMgVmlydHVhbCBQYXRjaGluZwoKVGhpcyBjb2xsZWN0aW9uIGNvbnRhaW5zIHZpcnR1YWwgcGF0Y2hpbmcgZm9yIGNvbW1vbmx5IGV4cGxvaXRlZCB2dWxuZXJhYmlsaXRpZXMsIGFuZCBpcyBpbnNwaXJlZCBieSB0aGUgW0NJU0EgS25vd24gRXhwbG9pdGVkIFZ1bG5lcmFiaWxpdGllcyBDYXRhbG9nXShodHRwczovL3d3dy5jaXNhLmdvdi9rbm93bi1leHBsb2l0ZWQtdnVsbmVyYWJpbGl0aWVzLWNhdGFsb2cpLiBUaGUgZ29hbCBpcyB0byBwcm92aWRlIHZpcnR1YWwgcGF0Y2hpbmcgY2FwYWJpbGl0aWVzIGZvciB0aGUgbW9zdCBvZnRlbiBleHBsb2l0ZWQgdnVsbmVyYWJpbGl0aWVzLCBhdm9pZGluZyBmYWxzZSBwb3NpdGl2ZXMgd2hpbGUgY2F0Y2hpbmcgcGVvcGxlIHNjb3V0aW5nIHlvdXIgYXBwbGljYXRpb25zIGZvciBqdWljeSB2dWxuZXJhYmlsaXRpZXMuCg==", - "content": "YXBwc2VjLWNvbmZpZ3M6Ci0gY3Jvd2RzZWN1cml0eS92aXJ0dWFsLXBhdGNoaW5nCi0gY3Jvd2RzZWN1cml0eS9hcHBzZWMtZGVmYXVsdAphcHBzZWMtcnVsZXM6Ci0gY3Jvd2RzZWN1cml0eS9iYXNlLWNvbmZpZwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLWVudi1hY2Nlc3MKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00MDA0NAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE3LTk4NDEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMC0xMTczOAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTI3OTI2Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMzU5MTQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi00NjE2OQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIwMTk4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjI1MTUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zMzYxNwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTM0MzYyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzUxOQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTQyNzkzCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNTAxNjQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zODIwNQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTI0NDg5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjEtMzEyOQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIxLTIyOTQxCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTktMTI5ODkKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi00NDg3NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEwNTYyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNjU1MwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEwMDA4NjEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAxOS0xMDAzMDMwCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMjI5NjUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yMzc1MgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTQ5MDcwCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtbGFyYXZlbC1kZWJ1Zy1tb2RlCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjgxMjEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMC0xNzQ5NgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTEzODkKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy03MDI4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDY4MDUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yMzg5NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIyNTI3Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzUwNzgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zNTA4MgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTIyOTU0Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMTIxMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLXN5bWZvbnktcHJvZmlsZXIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1jb25uZWN0d2lzZS1hdXRoLWJ5cGFzcwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTIyMDI0Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjcxOTgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zMjczCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtNDU3NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI5ODQ5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDcyMTgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1naXQtY29uZmlnCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMzIxMTMKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zMjcyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjgyNTUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yOTgyNAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI3MzQ4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjAtNTkwMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEzMzc5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMjYxMzQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zNDEwMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI5OTczCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItNDEwODIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAxOS0xODkzNQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTgxOTAKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yODk4NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTM4ODU2Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTgtMjAwNjIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMS0yNjA4NgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTUxNTY3Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjc5NTYKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yNzk1NAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTAwMTIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC05NDc0Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtNzU5MwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTUyMzAxCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtODk2MwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTM4ODE2CmF1dGhvcjogY3Jvd2RzZWN1cml0eQpjb250ZXh0czoKLSBjcm93ZHNlY3VyaXR5L2FwcHNlY19iYXNlCmRlc2NyaXB0aW9uOiBhIGdlbmVyaWMgdmlydHVhbCBwYXRjaGluZyBjb2xsZWN0aW9uLCBzdWl0YWJsZSBmb3IgbW9zdCB3ZWIgc2VydmVycy4KbmFtZTogY3Jvd2RzZWN1cml0eS9hcHBzZWMtdmlydHVhbC1wYXRjaGluZwpwYXJzZXJzOgotIGNyb3dkc2VjdXJpdHkvYXBwc2VjLWxvZ3MKc2NlbmFyaW9zOgotIGNyb3dkc2VjdXJpdHkvYXBwc2VjLXZwYXRjaAo=", + "content": "YXBwc2VjLWNvbmZpZ3M6Ci0gY3Jvd2RzZWN1cml0eS92aXJ0dWFsLXBhdGNoaW5nCi0gY3Jvd2RzZWN1cml0eS9hcHBzZWMtZGVmYXVsdAphcHBzZWMtcnVsZXM6Ci0gY3Jvd2RzZWN1cml0eS9iYXNlLWNvbmZpZwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLWVudi1hY2Nlc3MKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00MDA0NAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE3LTk4NDEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMC0xMTczOAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTI3OTI2Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMzU5MTQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi00NjE2OQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIwMTk4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjI1MTUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zMzYxNwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTM0MzYyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzUxOQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTQyNzkzCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNTAxNjQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zODIwNQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTI0NDg5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjEtMzEyOQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIxLTIyOTQxCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTktMTI5ODkKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi00NDg3NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEwNTYyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNjU1MwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEwMDA4NjEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAxOS0xMDAzMDMwCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMjI5NjUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yMzc1MgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTQ5MDcwCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtbGFyYXZlbC1kZWJ1Zy1tb2RlCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjgxMjEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMC0xNzQ5NgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTEzODkKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy03MDI4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDY4MDUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yMzg5NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIyNTI3Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzUwNzgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zNTA4MgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTIyOTU0Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMTIxMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLXN5bWZvbnktcHJvZmlsZXIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1jb25uZWN0d2lzZS1hdXRoLWJ5cGFzcwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTIyMDI0Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjcxOTgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zMjczCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtNDU3NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI5ODQ5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDcyMTgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1naXQtY29uZmlnCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMzIxMTMKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zMjcyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjgyNTUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yOTgyNAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI3MzQ4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjAtNTkwMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEzMzc5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMjYxMzQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zNDEwMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI5OTczCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItNDEwODIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAxOS0xODkzNQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTgxOTAKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yODk4NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTM4ODU2Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTgtMjAwNjIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMS0yNjA4NgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTUxNTY3Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjc5NTYKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yNzk1NAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTAwMTIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC05NDc0Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtNzU5MwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTUyMzAxCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtODk2MwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTM4ODE2Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtOTQ2NQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTUxMzc4CmF1dGhvcjogY3Jvd2RzZWN1cml0eQpjb250ZXh0czoKLSBjcm93ZHNlY3VyaXR5L2FwcHNlY19iYXNlCmRlc2NyaXB0aW9uOiBhIGdlbmVyaWMgdmlydHVhbCBwYXRjaGluZyBjb2xsZWN0aW9uLCBzdWl0YWJsZSBmb3IgbW9zdCB3ZWIgc2VydmVycy4KbmFtZTogY3Jvd2RzZWN1cml0eS9hcHBzZWMtdmlydHVhbC1wYXRjaGluZwpwYXJzZXJzOgotIGNyb3dkc2VjdXJpdHkvYXBwc2VjLWxvZ3MKc2NlbmFyaW9zOgotIGNyb3dkc2VjdXJpdHkvYXBwc2VjLXZwYXRjaAo=", "description": "a generic virtual patching collection, suitable for most web servers.", "author": "crowdsecurity", "labels": null, @@ -3900,7 +3966,9 @@ "crowdsecurity/vpatch-CVE-2024-7593", "crowdsecurity/vpatch-CVE-2024-52301", "crowdsecurity/vpatch-CVE-2024-8963", - "crowdsecurity/vpatch-CVE-2024-38816" + "crowdsecurity/vpatch-CVE-2024-38816", + "crowdsecurity/vpatch-CVE-2024-9465", + "crowdsecurity/vpatch-CVE-2024-51378" ], "appsec-configs": [ "crowdsecurity/virtual-patching", diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2024-51378.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2024-51378.yaml new file mode 100644 index 00000000000..43ffe338f84 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2024-51378.yaml @@ -0,0 +1,35 @@ +name: crowdsecurity/vpatch-CVE-2024-51378 +description: "Cyberpanel - RCE (CVE-2024-51378)" +rules: + - and: + - zones: + - METHOD + match: + type: equals + value: POST + - zones: + - URI + transform: + - lowercase + match: + type: regex + value: /(dns|ftp)/getresetstatus + - zones: + - BODY_ARGS + variables: + - json.statusfile + match: + type: regex + value: "[^a-zA-Z0-9/]" +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: "http:exploit" + label: "Cyberpanel - RCE" + classification: + - cve.CVE-2024-51378 + - attack.T1595 + - attack.T1190 + - cwe.CWE-78 \ No newline at end of file diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2024-9465.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2024-9465.yaml new file mode 100644 index 00000000000..2c28783883a --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2024-9465.yaml @@ -0,0 +1,39 @@ + +name: crowdsecurity/vpatch-CVE-2024-9465 +description: "Palo Alto Expedition - SQL Injection (CVE-2024-9465)" +rules: + - and: + - zones: + - METHOD + match: + type: equals + value: POST + - zones: + - URI + transform: + - lowercase + - urldecode + match: + type: contains + value: "/bin/configurations/parsers/checkpoint/checkpoint.php" + - zones: + - BODY_ARGS + variables: + - signatureid + transform: + - urldecode + match: + type: regex + value: "[^a-zA-Z0-9]" +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: "http:exploit" + label: "Palo Alto Expedition - SQL Injection" + classification: + - cve.CVE-2024-9465 + - attack.T1595 + - attack.T1190 + - cwe.CWE-89 \ No newline at end of file diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index 231df82881a..dc9e8122dc3 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -77,6 +77,8 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2024-52301 - crowdsecurity/vpatch-CVE-2024-8963 - crowdsecurity/vpatch-CVE-2024-38816 +- crowdsecurity/vpatch-CVE-2024-9465 +- crowdsecurity/vpatch-CVE-2024-51378 author: crowdsecurity contexts: - crowdsecurity/appsec_base diff --git a/taxonomy/scenarios.json b/taxonomy/scenarios.json index 6a7b49484ee..e57c1863778 100644 --- a/taxonomy/scenarios.json +++ b/taxonomy/scenarios.json @@ -1638,6 +1638,28 @@ "CWE-707" ] }, + "crowdsecurity/vpatch-CVE-2024-51378": { + "name": "crowdsecurity/vpatch-CVE-2024-51378", + "description": "Cyberpanel - RCE (CVE-2024-51378)", + "label": "Cyberpanel - RCE", + "behaviors": [ + "http:exploit" + ], + "mitre_attacks": [ + "TA0043:T1595", + "TA0001:T1190" + ], + "confidence": 3, + "spoofable": 0, + "cti": true, + "service": "http", + "cves": [ + "CVE-2024-51378" + ], + "cwes": [ + "CWE-78" + ] + }, "crowdsecurity/vpatch-CVE-2024-51567": { "name": "crowdsecurity/vpatch-CVE-2024-51567", "description": "CyberPanel RCE (CVE-2024-51567)", @@ -1749,6 +1771,28 @@ "CWE-22" ] }, + "crowdsecurity/vpatch-CVE-2024-9465": { + "name": "crowdsecurity/vpatch-CVE-2024-9465", + "description": "Palo Alto Expedition - SQL Injection (CVE-2024-9465)", + "label": "Palo Alto Expedition - SQL Injection", + "behaviors": [ + "http:exploit" + ], + "mitre_attacks": [ + "TA0043:T1595", + "TA0001:T1190" + ], + "confidence": 3, + "spoofable": 0, + "cti": true, + "service": "http", + "cves": [ + "CVE-2024-9465" + ], + "cwes": [ + "CWE-89" + ] + }, "crowdsecurity/vpatch-CVE-2024-9474": { "name": "crowdsecurity/vpatch-CVE-2024-9474", "description": "PanOS - Privilege Escalation (CVE-2024-9474)",