From 47ef21df1fc53126d142bb58e12d1bbcbba61e45 Mon Sep 17 00:00:00 2001 From: Emanuel Seemann <3380606+seemanne@users.noreply.github.com> Date: Fri, 22 Mar 2024 13:30:34 +0100 Subject: [PATCH 1/7] add CVE-2024-1212 vpatch and tests --- .../CVE-2024-1212/CVE-2024-1212.yaml | 17 +++++++++++++++ .appsec-tests/CVE-2024-1212/config.yaml | 3 +++ .../crowdsecurity/vpatch-CVE-2024-1212.yaml | 21 +++++++++++++++++++ .../appsec-virtual-patching.yaml | 1 + 4 files changed, 42 insertions(+) create mode 100755 .appsec-tests/CVE-2024-1212/CVE-2024-1212.yaml create mode 100644 .appsec-tests/CVE-2024-1212/config.yaml create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2024-1212.yaml diff --git a/.appsec-tests/CVE-2024-1212/CVE-2024-1212.yaml b/.appsec-tests/CVE-2024-1212/CVE-2024-1212.yaml new file mode 100755 index 00000000000..a43bbe376d8 --- /dev/null +++ b/.appsec-tests/CVE-2024-1212/CVE-2024-1212.yaml @@ -0,0 +1,17 @@ +id: CVE-2024-1212 +info: + name: CVE-2024-1212 + author: crowdsec + severity: info + description: CVE-2024-1212 testing + tags: appsec-testing +http: + - method: GET + path: + - "{{BaseURL}}/access/set?param=enableapi&value=1" + headers: + Authorization: "Basic JztsczsnOmRvZXNub3RtYXR0ZXI=" + matchers: + - type: status + status: + - 403 diff --git a/.appsec-tests/CVE-2024-1212/config.yaml b/.appsec-tests/CVE-2024-1212/config.yaml new file mode 100644 index 00000000000..086ff574db5 --- /dev/null +++ b/.appsec-tests/CVE-2024-1212/config.yaml @@ -0,0 +1,3 @@ +appsec-rules: +- ./appsec-rules/crowdsecurity/vpatch-CVE-2024-1212.yaml +nuclei_template: CVE-2024-1212.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2024-1212.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2024-1212.yaml new file mode 100644 index 00000000000..81644f8b6eb --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2024-1212.yaml @@ -0,0 +1,21 @@ +name: crowdsecurity/vpatch-CVE-2024-1212 +description: "Progress Kemp LoadMaster Unauthenticated Command Injection (CVE-2024-1212)" +rules: + - zones: + - HEADERS + match: + type: contains + value: 'Jzt' #b64encode of '; +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: "http:exploit" + label: "LoadMaster UCI" + references: + - https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/ + classification: + - cve.CVE-2024-1212 + - attack.T1595 + - attack.T1190 diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index b310f4dc676..07c266262d2 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -39,6 +39,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2023-35078 - crowdsecurity/vpatch-CVE-2023-35082 - crowdsecurity/vpatch-CVE-2022-22954 + - crowdsecurity/vpatch-CVE-2024-1212 - crowdsecurity/vpatch-symfony-profiler - crowdsecurity/vpatch-connectwise-auth-bypass appsec-configs: From 7d7b77fe9590ccddc0f5fce8ba4d7ed8870b91e4 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Fri, 22 Mar 2024 12:31:25 +0000 Subject: [PATCH 2/7] Update index --- .index.json | 38 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 36 insertions(+), 2 deletions(-) diff --git a/.index.json b/.index.json index 39ddb3e42e9..7862382092a 100644 --- a/.index.json +++ b/.index.json @@ -1313,6 +1313,35 @@ "type": "exploit" } }, + "crowdsecurity/vpatch-CVE-2024-1212": { + "path": "appsec-rules/crowdsecurity/vpatch-CVE-2024-1212.yaml", + "version": "0.1", + "versions": { + "0.1": { + "digest": "3326d798f61d7c8958a55949f3867b13d88f86483eed381947596e8f4596f3ea", + "deprecated": false + } + }, + "content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMTIxMgpkZXNjcmlwdGlvbjogIlByb2dyZXNzIEtlbXAgTG9hZE1hc3RlciBVbmF1dGhlbnRpY2F0ZWQgQ29tbWFuZCBJbmplY3Rpb24gKENWRS0yMDI0LTEyMTIpIgpydWxlczoKICAtIHpvbmVzOgogICAgLSBIRUFERVJTCiAgICBtYXRjaDoKICAgICAgdHlwZTogY29udGFpbnMKICAgICAgdmFsdWU6ICdKenQnICNiNjRlbmNvZGUgb2YgJzsKbGFiZWxzOgogIHR5cGU6IGV4cGxvaXQKICBzZXJ2aWNlOiBodHRwCiAgY29uZmlkZW5jZTogMwogIHNwb29mYWJsZTogMAogIGJlaGF2aW9yOiAiaHR0cDpleHBsb2l0IgogIGxhYmVsOiAiTG9hZE1hc3RlciBVQ0kiCiAgcmVmZXJlbmNlczoKICAtIGh0dHBzOi8vcmhpbm9zZWN1cml0eWxhYnMuY29tL3Jlc2VhcmNoL2N2ZS0yMDI0LTEyMTJ1bmF1dGhlbnRpY2F0ZWQtY29tbWFuZC1pbmplY3Rpb24taW4tcHJvZ3Jlc3Mta2VtcC1sb2FkbWFzdGVyLwogIGNsYXNzaWZpY2F0aW9uOgogICAtIGN2ZS5DVkUtMjAyNC0xMjEyCiAgIC0gYXR0YWNrLlQxNTk1CiAgIC0gYXR0YWNrLlQxMTkwCg==", + "description": "Progress Kemp LoadMaster Unauthenticated Command Injection (CVE-2024-1212)", + "author": "crowdsecurity", + "labels": { + "behavior": "http:exploit", + "classification": [ + "cve.CVE-2024-1212", + "attack.T1595", + "attack.T1190" + ], + "confidence": 3, + "label": "LoadMaster UCI", + "references": [ + "https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/" + ], + "service": "http", + "spoofable": 0, + "type": "exploit" + } + }, "crowdsecurity/vpatch-CVE-2024-23897": { "path": "appsec-rules/crowdsecurity/vpatch-CVE-2024-23897.yaml", "version": "0.3", @@ -2111,7 +2140,7 @@ }, "crowdsecurity/appsec-virtual-patching": { "path": "collections/crowdsecurity/appsec-virtual-patching.yaml", - "version": "2.0", + "version": "2.1", "versions": { "0.1": { "digest": "a165d638c8d826a932e4ca4e70ec5379d558a0bee1356e871c7c92cc2df714fc", @@ -2192,10 +2221,14 @@ "2.0": { "digest": "c09ee7339dbed0c05974f8ef4d04770f31e7898aef1438a73f29cffb364f5fe1", "deprecated": false + }, + "2.1": { + "digest": "fc1ef8a2e1323bce88166aa776062c6aa25b22da058200d60d541209fdd82157", + "deprecated": false } }, "long_description": "IyBBcHBTZWMgVmlydHVhbCBQYXRjaGluZwoKVGhpcyBjb2xsZWN0aW9uIGNvbnRhaW5zIHZpcnR1YWwgcGF0Y2hpbmcgZm9yIGNvbW1vbmx5IGV4cGxvaXRlZCB2dWxuZXJhYmlsaXRpZXMsIGFuZCBpcyBpbnNwaXJlZCBieSB0aGUgW0NJU0EgS25vd24gRXhwbG9pdGVkIFZ1bG5lcmFiaWxpdGllcyBDYXRhbG9nXShodHRwczovL3d3dy5jaXNhLmdvdi9rbm93bi1leHBsb2l0ZWQtdnVsbmVyYWJpbGl0aWVzLWNhdGFsb2cpLiBUaGUgZ29hbCBpcyB0byBwcm92aWRlIHZpcnR1YWwgcGF0Y2hpbmcgY2FwYWJpbGl0aWVzIGZvciB0aGUgbW9zdCBvZnRlbiBleHBsb2l0ZWQgdnVsbmVyYWJpbGl0aWVzLCBhdm9pZGluZyBmYWxzZSBwb3NpdGl2ZXMgd2hpbGUgY2F0Y2hpbmcgcGVvcGxlIHNjb3V0aW5nIHlvdXIgYXBwbGljYXRpb25zIGZvciBqdWljeSB2dWxuZXJhYmlsaXRpZXMuCg==", - "content": "bmFtZTogY3Jvd2RzZWN1cml0eS9hcHBzZWMtdmlydHVhbC1wYXRjaGluZwphcHBzZWMtcnVsZXM6CiAgLSBjcm93ZHNlY3VyaXR5L2Jhc2UtY29uZmlnCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1lbnYtYWNjZXNzCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00MDA0NAogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTctOTg0MQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjAtMTE3MzgKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTI3OTI2CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi0zNTkxNAogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItNDYxNjkKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIwMTk4CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yMjUxNQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzM2MTcKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTM0MzYyCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zNTE5CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00Mjc5MwogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNTAxNjQKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTM4MjA1CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yNDQ4OQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjEtMzEyOQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjEtMjI5NDEKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE5LTEyOTg5CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi00NDg3NwogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTgtMTA1NjIKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTY1NTMKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEwMDA4NjEKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE5LTEwMDMwMzAKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTIyOTY1CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yMzc1MgogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDkwNzAKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLWxhcmF2ZWwtZGVidWctbW9kZQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjgxMjEKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIwLTE3NDk2CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0xMzg5CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy03MDI4CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00NjgwNQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjM4OTcKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIyNTI3CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zNTA3OAogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzUwODIKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTIyOTU0CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1zeW1mb255LXByb2ZpbGVyCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1jb25uZWN0d2lzZS1hdXRoLWJ5cGFzcwphcHBzZWMtY29uZmlnczoKICAtIGNyb3dkc2VjdXJpdHkvdmlydHVhbC1wYXRjaGluZwpwYXJzZXJzOgogIC0gY3Jvd2RzZWN1cml0eS9hcHBzZWMtbG9ncwpzY2VuYXJpb3M6CiAgLSBjcm93ZHNlY3VyaXR5L2FwcHNlYy12cGF0Y2gKZGVzY3JpcHRpb246ICJhIGdlbmVyaWMgdmlydHVhbCBwYXRjaGluZyBjb2xsZWN0aW9uLCBzdWl0YWJsZSBmb3IgbW9zdCB3ZWIgc2VydmVycy4iCmF1dGhvcjogY3Jvd2RzZWN1cml0eQoK", + "content": "bmFtZTogY3Jvd2RzZWN1cml0eS9hcHBzZWMtdmlydHVhbC1wYXRjaGluZwphcHBzZWMtcnVsZXM6CiAgLSBjcm93ZHNlY3VyaXR5L2Jhc2UtY29uZmlnCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1lbnYtYWNjZXNzCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00MDA0NAogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTctOTg0MQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjAtMTE3MzgKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTI3OTI2CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi0zNTkxNAogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItNDYxNjkKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIwMTk4CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yMjUxNQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzM2MTcKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTM0MzYyCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zNTE5CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00Mjc5MwogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNTAxNjQKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTM4MjA1CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yNDQ4OQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjEtMzEyOQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjEtMjI5NDEKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE5LTEyOTg5CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi00NDg3NwogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTgtMTA1NjIKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTY1NTMKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEwMDA4NjEKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE5LTEwMDMwMzAKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTIyOTY1CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yMzc1MgogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDkwNzAKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLWxhcmF2ZWwtZGVidWctbW9kZQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjgxMjEKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIwLTE3NDk2CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0xMzg5CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy03MDI4CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00NjgwNQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjM4OTcKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIyNTI3CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zNTA3OAogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzUwODIKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTIyOTU0CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0xMjEyCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1zeW1mb255LXByb2ZpbGVyCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1jb25uZWN0d2lzZS1hdXRoLWJ5cGFzcwphcHBzZWMtY29uZmlnczoKICAtIGNyb3dkc2VjdXJpdHkvdmlydHVhbC1wYXRjaGluZwpwYXJzZXJzOgogIC0gY3Jvd2RzZWN1cml0eS9hcHBzZWMtbG9ncwpzY2VuYXJpb3M6CiAgLSBjcm93ZHNlY3VyaXR5L2FwcHNlYy12cGF0Y2gKZGVzY3JpcHRpb246ICJhIGdlbmVyaWMgdmlydHVhbCBwYXRjaGluZyBjb2xsZWN0aW9uLCBzdWl0YWJsZSBmb3IgbW9zdCB3ZWIgc2VydmVycy4iCmF1dGhvcjogY3Jvd2RzZWN1cml0eQoK", "description": "a generic virtual patching collection, suitable for most web servers.", "author": "crowdsecurity", "labels": null, @@ -2245,6 +2278,7 @@ "crowdsecurity/vpatch-CVE-2023-35078", "crowdsecurity/vpatch-CVE-2023-35082", "crowdsecurity/vpatch-CVE-2022-22954", + "crowdsecurity/vpatch-CVE-2024-1212", "crowdsecurity/vpatch-symfony-profiler", "crowdsecurity/vpatch-connectwise-auth-bypass" ], From 76b2bc471c0c9d26747125016703297cd76e2280 Mon Sep 17 00:00:00 2001 From: Emanuel Seemann <3380606+seemanne@users.noreply.github.com> Date: Fri, 22 Mar 2024 13:39:52 +0100 Subject: [PATCH 3/7] small change to remove fp --- appsec-rules/crowdsecurity/vpatch-CVE-2024-1212.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2024-1212.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2024-1212.yaml index 81644f8b6eb..58cbbdba61c 100644 --- a/appsec-rules/crowdsecurity/vpatch-CVE-2024-1212.yaml +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2024-1212.yaml @@ -3,9 +3,11 @@ description: "Progress Kemp LoadMaster Unauthenticated Command Injection (CVE-20 rules: - zones: - HEADERS + variables: + - Authorization match: type: contains - value: 'Jzt' #b64encode of '; + value: 'Basic Jzt' #b64encode of '; labels: type: exploit service: http From 3d6f2ad8b9d7c380780809e76b1933f9d41fa7d6 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Fri, 22 Mar 2024 12:41:00 +0000 Subject: [PATCH 4/7] Update index --- .index.json | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.index.json b/.index.json index 7862382092a..711abfc7da9 100644 --- a/.index.json +++ b/.index.json @@ -1315,14 +1315,18 @@ }, "crowdsecurity/vpatch-CVE-2024-1212": { "path": "appsec-rules/crowdsecurity/vpatch-CVE-2024-1212.yaml", - "version": "0.1", + "version": "0.2", "versions": { "0.1": { "digest": "3326d798f61d7c8958a55949f3867b13d88f86483eed381947596e8f4596f3ea", "deprecated": false + }, + "0.2": { + "digest": "0819184b4cda6c3ef48cf2fde19c4a5a9dde6a3389b0ad0c4a65df61de3247d0", + "deprecated": false } }, - "content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMTIxMgpkZXNjcmlwdGlvbjogIlByb2dyZXNzIEtlbXAgTG9hZE1hc3RlciBVbmF1dGhlbnRpY2F0ZWQgQ29tbWFuZCBJbmplY3Rpb24gKENWRS0yMDI0LTEyMTIpIgpydWxlczoKICAtIHpvbmVzOgogICAgLSBIRUFERVJTCiAgICBtYXRjaDoKICAgICAgdHlwZTogY29udGFpbnMKICAgICAgdmFsdWU6ICdKenQnICNiNjRlbmNvZGUgb2YgJzsKbGFiZWxzOgogIHR5cGU6IGV4cGxvaXQKICBzZXJ2aWNlOiBodHRwCiAgY29uZmlkZW5jZTogMwogIHNwb29mYWJsZTogMAogIGJlaGF2aW9yOiAiaHR0cDpleHBsb2l0IgogIGxhYmVsOiAiTG9hZE1hc3RlciBVQ0kiCiAgcmVmZXJlbmNlczoKICAtIGh0dHBzOi8vcmhpbm9zZWN1cml0eWxhYnMuY29tL3Jlc2VhcmNoL2N2ZS0yMDI0LTEyMTJ1bmF1dGhlbnRpY2F0ZWQtY29tbWFuZC1pbmplY3Rpb24taW4tcHJvZ3Jlc3Mta2VtcC1sb2FkbWFzdGVyLwogIGNsYXNzaWZpY2F0aW9uOgogICAtIGN2ZS5DVkUtMjAyNC0xMjEyCiAgIC0gYXR0YWNrLlQxNTk1CiAgIC0gYXR0YWNrLlQxMTkwCg==", + "content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMTIxMgpkZXNjcmlwdGlvbjogIlByb2dyZXNzIEtlbXAgTG9hZE1hc3RlciBVbmF1dGhlbnRpY2F0ZWQgQ29tbWFuZCBJbmplY3Rpb24gKENWRS0yMDI0LTEyMTIpIgpydWxlczoKICAtIHpvbmVzOgogICAgLSBIRUFERVJTCiAgICB2YXJpYWJsZXM6CiAgICAtIEF1dGhvcml6YXRpb24KICAgIG1hdGNoOgogICAgICB0eXBlOiBjb250YWlucwogICAgICB2YWx1ZTogJ0Jhc2ljIEp6dCcgI2I2NGVuY29kZSBvZiAnOwpsYWJlbHM6CiAgdHlwZTogZXhwbG9pdAogIHNlcnZpY2U6IGh0dHAKICBjb25maWRlbmNlOiAzCiAgc3Bvb2ZhYmxlOiAwCiAgYmVoYXZpb3I6ICJodHRwOmV4cGxvaXQiCiAgbGFiZWw6ICJMb2FkTWFzdGVyIFVDSSIKICByZWZlcmVuY2VzOgogIC0gaHR0cHM6Ly9yaGlub3NlY3VyaXR5bGFicy5jb20vcmVzZWFyY2gvY3ZlLTIwMjQtMTIxMnVuYXV0aGVudGljYXRlZC1jb21tYW5kLWluamVjdGlvbi1pbi1wcm9ncmVzcy1rZW1wLWxvYWRtYXN0ZXIvCiAgY2xhc3NpZmljYXRpb246CiAgIC0gY3ZlLkNWRS0yMDI0LTEyMTIKICAgLSBhdHRhY2suVDE1OTUKICAgLSBhdHRhY2suVDExOTAK", "description": "Progress Kemp LoadMaster Unauthenticated Command Injection (CVE-2024-1212)", "author": "crowdsecurity", "labels": { From 0eaa605fe2d8408611a44bf3376e0fa99994dc52 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Fri, 22 Mar 2024 12:41:06 +0000 Subject: [PATCH 5/7] Update taxonomy --- taxonomy/scenarios.json | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/taxonomy/scenarios.json b/taxonomy/scenarios.json index 672b5c15756..6a401bbf780 100644 --- a/taxonomy/scenarios.json +++ b/taxonomy/scenarios.json @@ -760,6 +760,25 @@ "CVE-2023-7028" ] }, + "crowdsecurity/vpatch-CVE-2024-1212": { + "name": "crowdsecurity/vpatch-CVE-2024-1212", + "description": "Progress Kemp LoadMaster Unauthenticated Command Injection (CVE-2024-1212)", + "label": "LoadMaster UCI", + "behaviors": [ + "http:exploit" + ], + "mitre_attacks": [ + "TA0043:T1595", + "TA0001:T1190" + ], + "confidence": 3, + "spoofable": 0, + "cti": true, + "service": "http", + "cves": [ + "CVE-2024-1212" + ] + }, "crowdsecurity/vpatch-CVE-2024-23897": { "name": "crowdsecurity/vpatch-CVE-2024-23897", "description": "Jenkins CLI RCE (CVE-2023-50164)", From 66a2363caf01219a07651085352ff2c57d4d5276 Mon Sep 17 00:00:00 2001 From: Emanuel Seemann <3380606+seemanne@users.noreply.github.com> Date: Mon, 25 Mar 2024 11:37:30 +0100 Subject: [PATCH 6/7] match on url as well to be safe --- .../crowdsecurity/vpatch-CVE-2024-1212.yaml | 22 +++++++++++++------ 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2024-1212.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2024-1212.yaml index 58cbbdba61c..3fe4c53592a 100644 --- a/appsec-rules/crowdsecurity/vpatch-CVE-2024-1212.yaml +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2024-1212.yaml @@ -1,13 +1,21 @@ name: crowdsecurity/vpatch-CVE-2024-1212 description: "Progress Kemp LoadMaster Unauthenticated Command Injection (CVE-2024-1212)" rules: - - zones: - - HEADERS - variables: - - Authorization - match: - type: contains - value: 'Basic Jzt' #b64encode of '; + - and: + - zones: + - URI + transform: + - lowercase + match: + type: contains + value: /access/set + - zones: + - HEADERS + variables: + - Authorization + match: + type: contains + value: 'Basic Jzt' #b64encode of '; labels: type: exploit service: http From 403d41f9a9e5f5ff7b385cbb0fca726b3e12c169 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Mon, 25 Mar 2024 10:38:36 +0000 Subject: [PATCH 7/7] Update index --- .index.json | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.index.json b/.index.json index 711abfc7da9..0440562a07e 100644 --- a/.index.json +++ b/.index.json @@ -1315,7 +1315,7 @@ }, "crowdsecurity/vpatch-CVE-2024-1212": { "path": "appsec-rules/crowdsecurity/vpatch-CVE-2024-1212.yaml", - "version": "0.2", + "version": "0.3", "versions": { "0.1": { "digest": "3326d798f61d7c8958a55949f3867b13d88f86483eed381947596e8f4596f3ea", @@ -1324,9 +1324,13 @@ "0.2": { "digest": "0819184b4cda6c3ef48cf2fde19c4a5a9dde6a3389b0ad0c4a65df61de3247d0", "deprecated": false + }, + "0.3": { + "digest": "58256c07b3c6e43e42f125bb0b735b31ec621e17c3067ededc97b9fc5cc239a7", + "deprecated": false } }, - "content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMTIxMgpkZXNjcmlwdGlvbjogIlByb2dyZXNzIEtlbXAgTG9hZE1hc3RlciBVbmF1dGhlbnRpY2F0ZWQgQ29tbWFuZCBJbmplY3Rpb24gKENWRS0yMDI0LTEyMTIpIgpydWxlczoKICAtIHpvbmVzOgogICAgLSBIRUFERVJTCiAgICB2YXJpYWJsZXM6CiAgICAtIEF1dGhvcml6YXRpb24KICAgIG1hdGNoOgogICAgICB0eXBlOiBjb250YWlucwogICAgICB2YWx1ZTogJ0Jhc2ljIEp6dCcgI2I2NGVuY29kZSBvZiAnOwpsYWJlbHM6CiAgdHlwZTogZXhwbG9pdAogIHNlcnZpY2U6IGh0dHAKICBjb25maWRlbmNlOiAzCiAgc3Bvb2ZhYmxlOiAwCiAgYmVoYXZpb3I6ICJodHRwOmV4cGxvaXQiCiAgbGFiZWw6ICJMb2FkTWFzdGVyIFVDSSIKICByZWZlcmVuY2VzOgogIC0gaHR0cHM6Ly9yaGlub3NlY3VyaXR5bGFicy5jb20vcmVzZWFyY2gvY3ZlLTIwMjQtMTIxMnVuYXV0aGVudGljYXRlZC1jb21tYW5kLWluamVjdGlvbi1pbi1wcm9ncmVzcy1rZW1wLWxvYWRtYXN0ZXIvCiAgY2xhc3NpZmljYXRpb246CiAgIC0gY3ZlLkNWRS0yMDI0LTEyMTIKICAgLSBhdHRhY2suVDE1OTUKICAgLSBhdHRhY2suVDExOTAK", + "content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMTIxMgpkZXNjcmlwdGlvbjogIlByb2dyZXNzIEtlbXAgTG9hZE1hc3RlciBVbmF1dGhlbnRpY2F0ZWQgQ29tbWFuZCBJbmplY3Rpb24gKENWRS0yMDI0LTEyMTIpIgpydWxlczoKICAtIGFuZDoKICAgIC0gem9uZXM6CiAgICAgIC0gVVJJCiAgICAgIHRyYW5zZm9ybToKICAgICAgLSBsb3dlcmNhc2UKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogY29udGFpbnMKICAgICAgICB2YWx1ZTogL2FjY2Vzcy9zZXQKICAgIC0gem9uZXM6CiAgICAgIC0gSEVBREVSUwogICAgICB2YXJpYWJsZXM6CiAgICAgIC0gQXV0aG9yaXphdGlvbgogICAgICBtYXRjaDoKICAgICAgICB0eXBlOiBjb250YWlucwogICAgICAgIHZhbHVlOiAnQmFzaWMgSnp0JyAjYjY0ZW5jb2RlIG9mICc7CmxhYmVsczoKICB0eXBlOiBleHBsb2l0CiAgc2VydmljZTogaHR0cAogIGNvbmZpZGVuY2U6IDMKICBzcG9vZmFibGU6IDAKICBiZWhhdmlvcjogImh0dHA6ZXhwbG9pdCIKICBsYWJlbDogIkxvYWRNYXN0ZXIgVUNJIgogIHJlZmVyZW5jZXM6CiAgLSBodHRwczovL3JoaW5vc2VjdXJpdHlsYWJzLmNvbS9yZXNlYXJjaC9jdmUtMjAyNC0xMjEydW5hdXRoZW50aWNhdGVkLWNvbW1hbmQtaW5qZWN0aW9uLWluLXByb2dyZXNzLWtlbXAtbG9hZG1hc3Rlci8KICBjbGFzc2lmaWNhdGlvbjoKICAgLSBjdmUuQ1ZFLTIwMjQtMTIxMgogICAtIGF0dGFjay5UMTU5NQogICAtIGF0dGFjay5UMTE5MAo=", "description": "Progress Kemp LoadMaster Unauthenticated Command Injection (CVE-2024-1212)", "author": "crowdsecurity", "labels": {