Skip to content

Add vpatch rule for CVE-2024-9465 and CVE-2024-51378 #1227

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
blotus merged 9 commits into from
Jan 21, 2025
Merged

Add vpatch rule for CVE-2024-9465 and CVE-2024-51378 #1227

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
26b27f2
add vpatch rules for CVE-2024-9465
blotus Jan 21, 2025
f52f5ee
Update index
actions-user Jan 21, 2025
c09c393
Update taxonomy
actions-user Jan 21, 2025
83d310e
fix cve classif for CVE-2024-9465
blotus Jan 21, 2025
68c47f3
Update taxonomy
actions-user Jan 21, 2025
07d54db
Update index
actions-user Jan 21, 2025
075c861
add vpatch for CVE-2024-51378
blotus Jan 21, 2025
67edfce
Update index
actions-user Jan 21, 2025
b4ae802
Update taxonomy
actions-user Jan 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .appsec-tests/vpatch-CVE-2024-51378/config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
appsec-rules:
- ./appsec-rules/crowdsecurity/base-config.yaml
- ./appsec-rules/crowdsecurity/vpatch-CVE-2024-51378.yaml
nuclei_template: vpatch-CVE-2024-51378.yaml
30 changes: 30 additions & 0 deletions .appsec-tests/vpatch-CVE-2024-51378/vpatch-CVE-2024-51378.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
id: vpatch-CVE-2024-51378
info:
name: vpatch-CVE-2024-51378
author: crowdsec
severity: info
description: vpatch-CVE-2024-51378 testing
tags: appsec-testing
http:
#this is a dummy request, edit the request(s) to match your needs
- raw:
- |
POST /dns/getresetstatus HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json

{"statusfile": "; id > /tmp/id;#"}
- |
POST /ftp/getresetstatus HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json

{"statusfile": "; id > /tmp/id;#"}
cookie-reuse: true
#test will fail because we won't match http status
matchers:
- type: dsl
condition: and
dsl:
- 'status_code_1 == 403'
- 'status_code_2 == 403'
5 changes: 5 additions & 0 deletions .appsec-tests/vpatch-CVE-2024-9465/config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@

appsec-rules:
- ./appsec-rules/crowdsecurity/base-config.yaml
- ./appsec-rules/crowdsecurity/vpatch-CVE-2024-9465.yaml
nuclei_template: test-CVE-2024-9465.yaml
24 changes: 24 additions & 0 deletions .appsec-tests/vpatch-CVE-2024-9465/test-CVE-2024-9465.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@

id: test-CVE-2024-9465
info:
name: test-CVE-2024-9465
author: crowdsec
severity: info
description: test-CVE-2024-9465 testing
tags: appsec-testing
http:
- raw:
- |
POST /bin/configurations/parsers/Checkpoint/CHECKPOINT.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded

action=import&type=test&project=pandbRBAC&signatureid=1%20AND%20(SELECT%201234%20FROM%20(SELECT(SLEEP(6)))test)

cookie-reuse: true
matchers:
- type: dsl
condition: and
dsl:
- "status_code_1 == 403"

74 changes: 71 additions & 3 deletions .index.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2562,6 +2562,33 @@
"type": "exploit"
}
},
"crowdsecurity/vpatch-CVE-2024-51378": {
"path": "appsec-rules/crowdsecurity/vpatch-CVE-2024-51378.yaml",
"version": "0.1",
"versions": {
"0.1": {
"digest": "653a11bcbffccf620fa6d9875de7693f012fb9236f1c1c81cb85c26e3a34e7f2",
"deprecated": false
}
},
"content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtNTEzNzgKZGVzY3JpcHRpb246ICJDeWJlcnBhbmVsIC0gUkNFIChDVkUtMjAyNC01MTM3OCkiCnJ1bGVzOgogIC0gYW5kOgogICAgLSB6b25lczoKICAgICAgLSBNRVRIT0QKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogZXF1YWxzCiAgICAgICAgdmFsdWU6IFBPU1QKICAgIC0gem9uZXM6CiAgICAgIC0gVVJJCiAgICAgIHRyYW5zZm9ybToKICAgICAgLSBsb3dlcmNhc2UKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogcmVnZXgKICAgICAgICB2YWx1ZTogLyhkbnN8ZnRwKS9nZXRyZXNldHN0YXR1cwogICAgLSB6b25lczoKICAgICAgLSBCT0RZX0FSR1MKICAgICAgdmFyaWFibGVzOgogICAgICAgLSBqc29uLnN0YXR1c2ZpbGUKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogcmVnZXgKICAgICAgICB2YWx1ZTogIlteYS16QS1aMC05L10iCmxhYmVsczoKICB0eXBlOiBleHBsb2l0CiAgc2VydmljZTogaHR0cAogIGNvbmZpZGVuY2U6IDMKICBzcG9vZmFibGU6IDAKICBiZWhhdmlvcjogImh0dHA6ZXhwbG9pdCIKICBsYWJlbDogIkN5YmVycGFuZWwgLSBSQ0UiCiAgY2xhc3NpZmljYXRpb246CiAgIC0gY3ZlLkNWRS0yMDI0LTUxMzc4CiAgIC0gYXR0YWNrLlQxNTk1CiAgIC0gYXR0YWNrLlQxMTkwCiAgIC0gY3dlLkNXRS03OA==",
"description": "Cyberpanel - RCE (CVE-2024-51378)",
"author": "crowdsecurity",
"labels": {
"behavior": "http:exploit",
"classification": [
"cve.CVE-2024-51378",
"attack.T1595",
"attack.T1190",
"cwe.CWE-78"
],
"confidence": 3,
"label": "Cyberpanel - RCE",
"service": "http",
"spoofable": 0,
"type": "exploit"
}
},
"crowdsecurity/vpatch-CVE-2024-51567": {
"path": "appsec-rules/crowdsecurity/vpatch-CVE-2024-51567.yaml",
"version": "0.1",
Expand Down Expand Up @@ -2702,6 +2729,37 @@
"type": "exploit"
}
},
"crowdsecurity/vpatch-CVE-2024-9465": {
"path": "appsec-rules/crowdsecurity/vpatch-CVE-2024-9465.yaml",
"version": "0.2",
"versions": {
"0.1": {
"digest": "dd03339bbb9914dac0ed54ffb47db7688319e7fd5adc0350fafb15c694578d85",
"deprecated": false
},
"0.2": {
"digest": "5a59243623d4743896c46163c63e3ad306e1b168624e663098e1ac473f35e80a",
"deprecated": false
}
},
"content": "Cm5hbWU6IGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTk0NjUKZGVzY3JpcHRpb246ICJQYWxvIEFsdG8gRXhwZWRpdGlvbiAtIFNRTCBJbmplY3Rpb24gKENWRS0yMDI0LTk0NjUpIgpydWxlczoKICAtIGFuZDoKICAgIC0gem9uZXM6CiAgICAgIC0gTUVUSE9ECiAgICAgIG1hdGNoOgogICAgICAgIHR5cGU6IGVxdWFscwogICAgICAgIHZhbHVlOiBQT1NUCiAgICAtIHpvbmVzOgogICAgICAtIFVSSQogICAgICB0cmFuc2Zvcm06CiAgICAgIC0gbG93ZXJjYXNlCiAgICAgIC0gdXJsZGVjb2RlCiAgICAgIG1hdGNoOgogICAgICAgIHR5cGU6IGNvbnRhaW5zCiAgICAgICAgdmFsdWU6ICIvYmluL2NvbmZpZ3VyYXRpb25zL3BhcnNlcnMvY2hlY2twb2ludC9jaGVja3BvaW50LnBocCIKICAgIC0gem9uZXM6CiAgICAgIC0gQk9EWV9BUkdTCiAgICAgIHZhcmlhYmxlczoKICAgICAgLSBzaWduYXR1cmVpZAogICAgICB0cmFuc2Zvcm06CiAgICAgIC0gdXJsZGVjb2RlCiAgICAgIG1hdGNoOgogICAgICAgIHR5cGU6IHJlZ2V4CiAgICAgICAgdmFsdWU6ICJbXmEtekEtWjAtOV0iCmxhYmVsczoKICB0eXBlOiBleHBsb2l0CiAgc2VydmljZTogaHR0cAogIGNvbmZpZGVuY2U6IDMKICBzcG9vZmFibGU6IDAKICBiZWhhdmlvcjogImh0dHA6ZXhwbG9pdCIKICBsYWJlbDogIlBhbG8gQWx0byBFeHBlZGl0aW9uIC0gU1FMIEluamVjdGlvbiIKICBjbGFzc2lmaWNhdGlvbjoKICAgLSBjdmUuQ1ZFLTIwMjQtOTQ2NQogICAtIGF0dGFjay5UMTU5NQogICAtIGF0dGFjay5UMTE5MAogICAtIGN3ZS5DV0UtODk=",
"description": "Palo Alto Expedition - SQL Injection (CVE-2024-9465)",
"author": "crowdsecurity",
"labels": {
"behavior": "http:exploit",
"classification": [
"cve.CVE-2024-9465",
"attack.T1595",
"attack.T1190",
"cwe.CWE-89"
],
"confidence": 3,
"label": "Palo Alto Expedition - SQL Injection",
"service": "http",
"spoofable": 0,
"type": "exploit"
}
},
"crowdsecurity/vpatch-CVE-2024-9474": {
"path": "appsec-rules/crowdsecurity/vpatch-CVE-2024-9474.yaml",
"version": "0.3",
Expand Down Expand Up @@ -3615,7 +3673,7 @@
},
"crowdsecurity/appsec-virtual-patching": {
"path": "collections/crowdsecurity/appsec-virtual-patching.yaml",
"version": "4.9",
"version": "5.1",
"versions": {
"0.1": {
"digest": "a165d638c8d826a932e4ca4e70ec5379d558a0bee1356e871c7c92cc2df714fc",
Expand Down Expand Up @@ -3812,10 +3870,18 @@
"4.9": {
"digest": "138de42ce4e21da2d61b57592a50b511fbca5acde7acac6f4fafc803446c05ee",
"deprecated": false
},
"5.0": {
"digest": "5d58d44c4848c757e5ffa31fa37ab33a562c146101d621a2a6a16dd90c5f40d1",
"deprecated": false
},
"5.1": {
"digest": "e479092a82f74d97aaaa20aae28a69e4543fc7f0edeb8ded09cafd1c4a9875b5",
"deprecated": false
}
},
"long_description": "IyBBcHBTZWMgVmlydHVhbCBQYXRjaGluZwoKVGhpcyBjb2xsZWN0aW9uIGNvbnRhaW5zIHZpcnR1YWwgcGF0Y2hpbmcgZm9yIGNvbW1vbmx5IGV4cGxvaXRlZCB2dWxuZXJhYmlsaXRpZXMsIGFuZCBpcyBpbnNwaXJlZCBieSB0aGUgW0NJU0EgS25vd24gRXhwbG9pdGVkIFZ1bG5lcmFiaWxpdGllcyBDYXRhbG9nXShodHRwczovL3d3dy5jaXNhLmdvdi9rbm93bi1leHBsb2l0ZWQtdnVsbmVyYWJpbGl0aWVzLWNhdGFsb2cpLiBUaGUgZ29hbCBpcyB0byBwcm92aWRlIHZpcnR1YWwgcGF0Y2hpbmcgY2FwYWJpbGl0aWVzIGZvciB0aGUgbW9zdCBvZnRlbiBleHBsb2l0ZWQgdnVsbmVyYWJpbGl0aWVzLCBhdm9pZGluZyBmYWxzZSBwb3NpdGl2ZXMgd2hpbGUgY2F0Y2hpbmcgcGVvcGxlIHNjb3V0aW5nIHlvdXIgYXBwbGljYXRpb25zIGZvciBqdWljeSB2dWxuZXJhYmlsaXRpZXMuCg==",
"content": "YXBwc2VjLWNvbmZpZ3M6Ci0gY3Jvd2RzZWN1cml0eS92aXJ0dWFsLXBhdGNoaW5nCi0gY3Jvd2RzZWN1cml0eS9hcHBzZWMtZGVmYXVsdAphcHBzZWMtcnVsZXM6Ci0gY3Jvd2RzZWN1cml0eS9iYXNlLWNvbmZpZwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLWVudi1hY2Nlc3MKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00MDA0NAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE3LTk4NDEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMC0xMTczOAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTI3OTI2Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMzU5MTQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi00NjE2OQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIwMTk4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjI1MTUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zMzYxNwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTM0MzYyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzUxOQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTQyNzkzCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNTAxNjQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zODIwNQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTI0NDg5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjEtMzEyOQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIxLTIyOTQxCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTktMTI5ODkKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi00NDg3NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEwNTYyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNjU1MwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEwMDA4NjEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAxOS0xMDAzMDMwCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMjI5NjUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yMzc1MgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTQ5MDcwCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtbGFyYXZlbC1kZWJ1Zy1tb2RlCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjgxMjEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMC0xNzQ5NgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTEzODkKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy03MDI4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDY4MDUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yMzg5NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIyNTI3Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzUwNzgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zNTA4MgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTIyOTU0Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMTIxMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLXN5bWZvbnktcHJvZmlsZXIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1jb25uZWN0d2lzZS1hdXRoLWJ5cGFzcwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTIyMDI0Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjcxOTgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zMjczCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtNDU3NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI5ODQ5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDcyMTgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1naXQtY29uZmlnCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMzIxMTMKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zMjcyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjgyNTUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yOTgyNAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI3MzQ4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjAtNTkwMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEzMzc5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMjYxMzQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zNDEwMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI5OTczCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItNDEwODIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAxOS0xODkzNQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTgxOTAKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yODk4NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTM4ODU2Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTgtMjAwNjIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMS0yNjA4NgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTUxNTY3Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjc5NTYKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yNzk1NAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTAwMTIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC05NDc0Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtNzU5MwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTUyMzAxCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtODk2MwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTM4ODE2CmF1dGhvcjogY3Jvd2RzZWN1cml0eQpjb250ZXh0czoKLSBjcm93ZHNlY3VyaXR5L2FwcHNlY19iYXNlCmRlc2NyaXB0aW9uOiBhIGdlbmVyaWMgdmlydHVhbCBwYXRjaGluZyBjb2xsZWN0aW9uLCBzdWl0YWJsZSBmb3IgbW9zdCB3ZWIgc2VydmVycy4KbmFtZTogY3Jvd2RzZWN1cml0eS9hcHBzZWMtdmlydHVhbC1wYXRjaGluZwpwYXJzZXJzOgotIGNyb3dkc2VjdXJpdHkvYXBwc2VjLWxvZ3MKc2NlbmFyaW9zOgotIGNyb3dkc2VjdXJpdHkvYXBwc2VjLXZwYXRjaAo=",
"content": "YXBwc2VjLWNvbmZpZ3M6Ci0gY3Jvd2RzZWN1cml0eS92aXJ0dWFsLXBhdGNoaW5nCi0gY3Jvd2RzZWN1cml0eS9hcHBzZWMtZGVmYXVsdAphcHBzZWMtcnVsZXM6Ci0gY3Jvd2RzZWN1cml0eS9iYXNlLWNvbmZpZwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLWVudi1hY2Nlc3MKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00MDA0NAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE3LTk4NDEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMC0xMTczOAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTI3OTI2Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMzU5MTQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi00NjE2OQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIwMTk4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjI1MTUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zMzYxNwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTM0MzYyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzUxOQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTQyNzkzCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNTAxNjQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zODIwNQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTI0NDg5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjEtMzEyOQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIxLTIyOTQxCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTktMTI5ODkKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi00NDg3NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEwNTYyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNjU1MwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEwMDA4NjEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAxOS0xMDAzMDMwCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMjI5NjUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yMzc1MgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTQ5MDcwCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtbGFyYXZlbC1kZWJ1Zy1tb2RlCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjgxMjEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMC0xNzQ5NgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTEzODkKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy03MDI4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDY4MDUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yMzg5NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIyNTI3Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzUwNzgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zNTA4MgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTIyOTU0Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMTIxMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLXN5bWZvbnktcHJvZmlsZXIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1jb25uZWN0d2lzZS1hdXRoLWJ5cGFzcwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTIyMDI0Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjcxOTgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zMjczCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtNDU3NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI5ODQ5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDcyMTgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1naXQtY29uZmlnCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMzIxMTMKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zMjcyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjgyNTUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yOTgyNAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI3MzQ4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjAtNTkwMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEzMzc5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMjYxMzQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zNDEwMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI5OTczCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItNDEwODIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAxOS0xODkzNQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTgxOTAKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yODk4NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTM4ODU2Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTgtMjAwNjIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMS0yNjA4NgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTUxNTY3Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjc5NTYKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yNzk1NAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTAwMTIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC05NDc0Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtNzU5MwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTUyMzAxCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtODk2MwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTM4ODE2Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtOTQ2NQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTUxMzc4CmF1dGhvcjogY3Jvd2RzZWN1cml0eQpjb250ZXh0czoKLSBjcm93ZHNlY3VyaXR5L2FwcHNlY19iYXNlCmRlc2NyaXB0aW9uOiBhIGdlbmVyaWMgdmlydHVhbCBwYXRjaGluZyBjb2xsZWN0aW9uLCBzdWl0YWJsZSBmb3IgbW9zdCB3ZWIgc2VydmVycy4KbmFtZTogY3Jvd2RzZWN1cml0eS9hcHBzZWMtdmlydHVhbC1wYXRjaGluZwpwYXJzZXJzOgotIGNyb3dkc2VjdXJpdHkvYXBwc2VjLWxvZ3MKc2NlbmFyaW9zOgotIGNyb3dkc2VjdXJpdHkvYXBwc2VjLXZwYXRjaAo=",
"description": "a generic virtual patching collection, suitable for most web servers.",
"author": "crowdsecurity",
"labels": null,
Expand Down Expand Up @@ -3900,7 +3966,9 @@
"crowdsecurity/vpatch-CVE-2024-7593",
"crowdsecurity/vpatch-CVE-2024-52301",
"crowdsecurity/vpatch-CVE-2024-8963",
"crowdsecurity/vpatch-CVE-2024-38816"
"crowdsecurity/vpatch-CVE-2024-38816",
"crowdsecurity/vpatch-CVE-2024-9465",
"crowdsecurity/vpatch-CVE-2024-51378"
],
"appsec-configs": [
"crowdsecurity/virtual-patching",
Expand Down
35 changes: 35 additions & 0 deletions appsec-rules/crowdsecurity/vpatch-CVE-2024-51378.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
name: crowdsecurity/vpatch-CVE-2024-51378
description: "Cyberpanel - RCE (CVE-2024-51378)"
rules:
- and:
- zones:
- METHOD
match:
type: equals
value: POST
- zones:
- URI
transform:
- lowercase
match:
type: regex
value: /(dns|ftp)/getresetstatus
- zones:
- BODY_ARGS
variables:
- json.statusfile
match:
type: regex
value: "[^a-zA-Z0-9/]"
labels:
type: exploit
service: http
confidence: 3
spoofable: 0
behavior: "http:exploit"
label: "Cyberpanel - RCE"
classification:
- cve.CVE-2024-51378
- attack.T1595
- attack.T1190
- cwe.CWE-78
39 changes: 39 additions & 0 deletions appsec-rules/crowdsecurity/vpatch-CVE-2024-9465.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@

name: crowdsecurity/vpatch-CVE-2024-9465
description: "Palo Alto Expedition - SQL Injection (CVE-2024-9465)"
rules:
- and:
- zones:
- METHOD
match:
type: equals
value: POST
- zones:
- URI
transform:
- lowercase
- urldecode
match:
type: contains
value: "/bin/configurations/parsers/checkpoint/checkpoint.php"
- zones:
- BODY_ARGS
variables:
- signatureid
transform:
- urldecode
match:
type: regex
value: "[^a-zA-Z0-9]"
labels:
type: exploit
service: http
confidence: 3
spoofable: 0
behavior: "http:exploit"
label: "Palo Alto Expedition - SQL Injection"
classification:
- cve.CVE-2024-9465
- attack.T1595
- attack.T1190
- cwe.CWE-89
2 changes: 2 additions & 0 deletions collections/crowdsecurity/appsec-virtual-patching.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,8 @@ appsec-rules:
- crowdsecurity/vpatch-CVE-2024-52301
- crowdsecurity/vpatch-CVE-2024-8963
- crowdsecurity/vpatch-CVE-2024-38816
- crowdsecurity/vpatch-CVE-2024-9465
- crowdsecurity/vpatch-CVE-2024-51378
author: crowdsecurity
contexts:
- crowdsecurity/appsec_base
Expand Down
44 changes: 44 additions & 0 deletions taxonomy/scenarios.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1638,6 +1638,28 @@
"CWE-707"
]
},
"crowdsecurity/vpatch-CVE-2024-51378": {
"name": "crowdsecurity/vpatch-CVE-2024-51378",
"description": "Cyberpanel - RCE (CVE-2024-51378)",
"label": "Cyberpanel - RCE",
"behaviors": [
"http:exploit"
],
"mitre_attacks": [
"TA0043:T1595",
"TA0001:T1190"
],
"confidence": 3,
"spoofable": 0,
"cti": true,
"service": "http",
"cves": [
"CVE-2024-51378"
],
"cwes": [
"CWE-78"
]
},
"crowdsecurity/vpatch-CVE-2024-51567": {
"name": "crowdsecurity/vpatch-CVE-2024-51567",
"description": "CyberPanel RCE (CVE-2024-51567)",
Expand Down Expand Up @@ -1749,6 +1771,28 @@
"CWE-22"
]
},
"crowdsecurity/vpatch-CVE-2024-9465": {
"name": "crowdsecurity/vpatch-CVE-2024-9465",
"description": "Palo Alto Expedition - SQL Injection (CVE-2024-9465)",
"label": "Palo Alto Expedition - SQL Injection",
"behaviors": [
"http:exploit"
],
"mitre_attacks": [
"TA0043:T1595",
"TA0001:T1190"
],
"confidence": 3,
"spoofable": 0,
"cti": true,
"service": "http",
"cves": [
"CVE-2024-9465"
],
"cwes": [
"CWE-89"
]
},
"crowdsecurity/vpatch-CVE-2024-9474": {
"name": "crowdsecurity/vpatch-CVE-2024-9474",
"description": "PanOS - Privilege Escalation (CVE-2024-9474)",
Expand Down