From 4518153df53f6b505dff31377bb452a0a244f26f Mon Sep 17 00:00:00 2001
From: AlteredCoder <64792091+AlteredCoder@users.noreply.github.com>
Date: Tue, 26 Mar 2024 11:14:34 +0100
Subject: [PATCH] Add CVE-2024-22024 vpatch rule (#1010)

* Add CVE-2024-22024 vpatch rule
---
 .../CVE-2024-22024/CVE-2024-22024.yaml        | 24 ++++++++++++
 .appsec-tests/CVE-2024-22024/config.yaml      |  3 ++
 .index.json                                   |  2 +-
 .../crowdsecurity/vpatch-CVE-2024-22024.yaml  | 39 +++++++++++++++++++
 .../appsec-virtual-patching.yaml              |  1 +
 taxonomy/scenarios.json                       | 22 +++++++++++
 6 files changed, 90 insertions(+), 1 deletion(-)
 create mode 100755 .appsec-tests/CVE-2024-22024/CVE-2024-22024.yaml
 create mode 100644 .appsec-tests/CVE-2024-22024/config.yaml
 create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2024-22024.yaml

diff --git a/.appsec-tests/CVE-2024-22024/CVE-2024-22024.yaml b/.appsec-tests/CVE-2024-22024/CVE-2024-22024.yaml
new file mode 100755
index 00000000000..80dfd476925
--- /dev/null
+++ b/.appsec-tests/CVE-2024-22024/CVE-2024-22024.yaml
@@ -0,0 +1,24 @@
+id: CVE-2024-22024
+info:
+  name: CVE-2024-22024
+  author: crowdsec
+  severity: info
+  description: CVE-2024-22024 testing
+  tags: appsec-testing
+
+variables:
+  payload: '<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM
+    "http://{{interactsh-url}}/x"> %watchTowr;]><r></r>'
+
+http:
+  - raw:
+      - |
+        POST /dana-na/auth/saml-sso.cgi HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        SAMLRequest={{base64(payload)}}
+    matchers:
+    - type: status
+      status:
+       - 403
diff --git a/.appsec-tests/CVE-2024-22024/config.yaml b/.appsec-tests/CVE-2024-22024/config.yaml
new file mode 100644
index 00000000000..0e44a07b5f9
--- /dev/null
+++ b/.appsec-tests/CVE-2024-22024/config.yaml
@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2024-22024.yaml
+nuclei_template: CVE-2024-22024.yaml
diff --git a/.index.json b/.index.json
index e793b4738a7..3e895aff476 100644
--- a/.index.json
+++ b/.index.json
@@ -15004,4 +15004,4 @@
    }
   }
  }
-}
\ No newline at end of file
+}
diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2024-22024.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2024-22024.yaml
new file mode 100644
index 00000000000..6076d7d1602
--- /dev/null
+++ b/appsec-rules/crowdsecurity/vpatch-CVE-2024-22024.yaml
@@ -0,0 +1,39 @@
+name: crowdsecurity/vpatch-CVE-2024-22024
+description: "Ivanti Connect Secure - XXE (CVE-2024-22024)"
+rules:
+  - and:
+    - zones:
+      - METHOD
+      match:
+        type: equals
+        value: POST
+    - zones:
+      - URI
+      transform:
+      - lowercase
+      match:
+        type: endsWith
+        value: "/dana-na/auth/saml-sso.cgi"
+    - zones:
+      - BODY_ARGS
+      transform:
+      - b64decode
+      variables:
+      - SAMLRequest
+      match:
+        type: contains
+        value: "<!ENTITY"
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: "http:exploit"
+  label: "Ivanti Connect Secure - XXE"
+  classification:
+   - cve.CVE-2024-22024
+   - attack.T1595
+   - attack.T1190
+   - cwe.CWE-611
+
+
diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml
index 07c266262d2..45e964e93af 100644
--- a/collections/crowdsecurity/appsec-virtual-patching.yaml
+++ b/collections/crowdsecurity/appsec-virtual-patching.yaml
@@ -42,6 +42,7 @@ appsec-rules:
   - crowdsecurity/vpatch-CVE-2024-1212
   - crowdsecurity/vpatch-symfony-profiler
   - crowdsecurity/vpatch-connectwise-auth-bypass
+  - crowdsecurity/vpatch-CVE-2024-22024
 appsec-configs:
   - crowdsecurity/virtual-patching
 parsers:
diff --git a/taxonomy/scenarios.json b/taxonomy/scenarios.json
index 64aa354e219..fcaf696acad 100644
--- a/taxonomy/scenarios.json
+++ b/taxonomy/scenarios.json
@@ -779,6 +779,28 @@
       "CVE-2024-1212"
     ]
   },
+  "crowdsecurity/vpatch-CVE-2024-22024": {
+    "name": "crowdsecurity/vpatch-CVE-2024-22024",
+    "description": "Ivanti Connect Secure - XXE (CVE-2024-22024)",
+    "label": "Ivanti Connect Secure - XXE",
+    "behaviors": [
+      "http:exploit"
+    ],
+    "mitre_attacks": [
+      "TA0043:T1595",
+      "TA0001:T1190"
+    ],
+    "confidence": 3,
+    "spoofable": 0,
+    "cti": true,
+    "service": "http",
+    "cves": [
+      "CVE-2024-22024"
+    ],
+    "cwes": [
+      "CWE-611"
+    ]
+  },
   "crowdsecurity/vpatch-CVE-2024-23897": {
     "name": "crowdsecurity/vpatch-CVE-2024-23897",
     "description": "Jenkins CLI RCE (CVE-2024-23897)",