diff --git a/.appsec-tests/vpatch-CVE-2024-0012/config.yaml b/.appsec-tests/vpatch-CVE-2024-0012/config.yaml new file mode 100644 index 00000000000..e4d777e26fc --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2024-0012/config.yaml @@ -0,0 +1,5 @@ + +appsec-rules: +- ./appsec-rules/crowdsecurity/base-config.yaml +- ./appsec-rules/crowdsecurity/vpatch-CVE-2024-0012.yaml +nuclei_template: test-CVE-2024-0012.yaml diff --git a/.appsec-tests/vpatch-CVE-2024-0012/test-CVE-2024-0012.yaml b/.appsec-tests/vpatch-CVE-2024-0012/test-CVE-2024-0012.yaml new file mode 100644 index 00000000000..e21debe6e23 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2024-0012/test-CVE-2024-0012.yaml @@ -0,0 +1,21 @@ + +id: test-CVE-2024-0012 +info: + name: test-CVE-2024-0012 + author: crowdsec + severity: info + description: test-CVE-2024-0012 testing + tags: appsec-testing +http: + - raw: + - | + GET /php/ztp_gate.php/.js.map HTTP/1.1 + Host: {{Hostname}} + X-PAN-AUTHCHECK: off + cookie-reuse: true + matchers: + - type: dsl + condition: and + dsl: + - "status_code_1 == 403" + diff --git a/.appsec-tests/vpatch-CVE-2024-27956/test-CVE-2024-27956.yaml b/.appsec-tests/vpatch-CVE-2024-27956/test-CVE-2024-27956.yaml index 3dd6714a86b..8f9df739490 100644 --- a/.appsec-tests/vpatch-CVE-2024-27956/test-CVE-2024-27956.yaml +++ b/.appsec-tests/vpatch-CVE-2024-27956/test-CVE-2024-27956.yaml @@ -11,7 +11,9 @@ http: POST /wp-content/plugins/wp-automatic/inc/csv.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded + q=INSERT+INTO+wp_users+%28user_login%2C+user_pass%2C+user_nicename%2C+user_email%2C+user_url%2C+user_registered%2C+user_status%2C+display_name%29+VALUES+%28%27eviladmin%27%2C+%27%24P%24BASbMqW0nlZRux%2F2IhCw7AdvoNI4VT0%27%2C+%27eviladmin%27%2C+%27eviladmin%40gmail.com%27%2C+%27http%3A%2F%2F127.0.0.1%3A8000%27%2C+%272024-04-30+16%3A26%3A43%27%2C+0%2C+%27eviladmin%27%29&auth=%00&integ=09956ea086b172d6cf8ac31de406c4c0 + cookie-reuse: true matchers: - type: dsl diff --git a/.appsec-tests/vpatch-CVE-2024-9474/config.yaml b/.appsec-tests/vpatch-CVE-2024-9474/config.yaml new file mode 100644 index 00000000000..741c0f7b10f --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2024-9474/config.yaml @@ -0,0 +1,5 @@ + +appsec-rules: +- ./appsec-rules/crowdsecurity/base-config.yaml +- ./appsec-rules/crowdsecurity/vpatch-CVE-2024-9474.yaml +nuclei_template: test-CVE-2024-9474.yaml diff --git a/.appsec-tests/vpatch-CVE-2024-9474/test-CVE-2024-9474.yaml b/.appsec-tests/vpatch-CVE-2024-9474/test-CVE-2024-9474.yaml new file mode 100644 index 00000000000..0648d8b0840 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2024-9474/test-CVE-2024-9474.yaml @@ -0,0 +1,24 @@ + +id: test-CVE-2024-9474 +info: + name: test-CVE-2024-9474 + author: crowdsec + severity: info + description: test-CVE-2024-9474 testing + tags: appsec-testing +http: + - raw: + - | + POST /php/utils/createRemoteAppwebSession.php/watchTowr.js.map HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + user=`echo $(uname -a) > /var/appweb/htdocs/unauth/watchTowr.php`&userRole=superuser&remoteHost=&vsys=vsys1 + + cookie-reuse: true + matchers: + - type: dsl + condition: and + dsl: + - "status_code_1 == 403" + diff --git a/.index.json b/.index.json index c107ba39f2d..d21064e636f 100644 --- a/.index.json +++ b/.index.json @@ -1905,6 +1905,33 @@ "type": "exploit" } }, + "crowdsecurity/vpatch-CVE-2024-0012": { + "path": "appsec-rules/crowdsecurity/vpatch-CVE-2024-0012.yaml", + "version": "0.1", + "versions": { + "0.1": { + "digest": "7434c3ee5962dbda438656e79e150077e97f9da99e70303569515d3afabda145", + "deprecated": false + } + }, + "content": "Cm5hbWU6IGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTAwMTIKZGVzY3JpcHRpb246ICJQYW5PUyAtIEF1dGhlbnRpY2F0aW9uIEJ5cGFzcyAoQ1ZFLTIwMjQtMDAxMikiCnJ1bGVzOgogIC0gYW5kOgogICAgLSB6b25lczoKICAgICAgLSBIRUFERVJTCiAgICAgIHZhcmlhYmxlczoKICAgICAgIC0geC1wYW4tYXV0aGNoZWNrCiAgICAgIHRyYW5zZm9ybToKICAgICAgLSBsb3dlcmNhc2UKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogZXF1YWxzCiAgICAgICAgdmFsdWU6IG9mZgpsYWJlbHM6CiAgdHlwZTogZXhwbG9pdAogIHNlcnZpY2U6IGh0dHAKICBjb25maWRlbmNlOiAzCiAgc3Bvb2ZhYmxlOiAwCiAgYmVoYXZpb3I6ICJodHRwOmV4cGxvaXQiCiAgbGFiZWw6ICJQYW5PUyAtIEF1dGhlbnRpY2F0aW9uIEJ5cGFzcyIKICBjbGFzc2lmaWNhdGlvbjoKICAgLSBjdmUuQ1ZFLTIwMjQtMDAxMgogICAtIGF0dGFjay5UMTU5NQogICAtIGF0dGFjay5UMTE5MAogICAtIGN3ZS5DV0UtMzA2", + "description": "PanOS - Authentication Bypass (CVE-2024-0012)", + "author": "crowdsecurity", + "labels": { + "behavior": "http:exploit", + "classification": [ + "cve.CVE-2024-0012", + "attack.T1595", + "attack.T1190", + "cwe.CWE-306" + ], + "confidence": 3, + "label": "PanOS - Authentication Bypass", + "service": "http", + "spoofable": 0, + "type": "exploit" + } + }, "crowdsecurity/vpatch-CVE-2024-1061": { "path": "appsec-rules/crowdsecurity/vpatch-CVE-2024-1061.yaml", "version": "0.1", @@ -2559,6 +2586,41 @@ "type": "exploit" } }, + "crowdsecurity/vpatch-CVE-2024-9474": { + "path": "appsec-rules/crowdsecurity/vpatch-CVE-2024-9474.yaml", + "version": "0.3", + "versions": { + "0.1": { + "digest": "8460703181c94f6078058c7c9a5f567c161fcc0ce6676d0efc6ab19f3dd5fde3", + "deprecated": false + }, + "0.2": { + "digest": "8c7edf75d60d36d4b5e8ecb57ea87526ffde766f6e4f95a2a0029c18dc9be03b", + "deprecated": false + }, + "0.3": { + "digest": "f540b7e6a8e73388c3a045070e3d8b54b4b1b00d005803548e009ff7ff01df0d", + "deprecated": false + } + }, + "content": "Cm5hbWU6IGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTk0NzQKZGVzY3JpcHRpb246ICJQYW5PUyAtIFByaXZpbGVnZSBFc2NhbGF0aW9uIChDVkUtMjAyNC05NDc0KSIKcnVsZXM6CiAgLSBhbmQ6CiAgICAtIHpvbmVzOgogICAgICAtIE1FVEhPRAogICAgICBtYXRjaDoKICAgICAgICB0eXBlOiBlcXVhbHMKICAgICAgICB2YWx1ZTogUE9TVAogICAgLSB6b25lczoKICAgICAgLSBVUkkKICAgICAgdHJhbnNmb3JtOgogICAgICAtIGxvd2VyY2FzZQogICAgICBtYXRjaDoKICAgICAgICB0eXBlOiBjb250YWlucwogICAgICAgIHZhbHVlOiAvcGhwL3V0aWxzL2NyZWF0ZXJlbW90ZWFwcHdlYnNlc3Npb24ucGhwLwogICAgLSB6b25lczoKICAgICAgIC0gVVJJCiAgICAgIHRyYW5zZm9ybToKICAgICAgICAtIGxvd2VyY2FzZQogICAgICBtYXRjaDoKICAgICAgICB0eXBlOiBlbmRzV2l0aAogICAgICAgIHZhbHVlOiAuanMubWFwCiAgICAtIHpvbmVzOgogICAgICAtIEJPRFlfQVJHUwogICAgICB2YXJpYWJsZXM6CiAgICAgICAtIHVzZXIKICAgICAgdHJhbnNmb3JtOgogICAgICAtIGxvd2VyY2FzZQogICAgICBtYXRjaDoKICAgICAgICB0eXBlOiByZWdleAogICAgICAgIHZhbHVlOiAiWyQ7fCZgPl0iCmxhYmVsczoKICB0eXBlOiBleHBsb2l0CiAgc2VydmljZTogaHR0cAogIGNvbmZpZGVuY2U6IDMKICBzcG9vZmFibGU6IDAKICBiZWhhdmlvcjogImh0dHA6ZXhwbG9pdCIKICBsYWJlbDogIlBhbk9TIC0gUHJpdmlsZWdlIEVzY2FsYXRpb24gKENWRS0yMDI0LTk0NzQpIgogIGNsYXNzaWZpY2F0aW9uOgogICAtIGN2ZS5DVkUtMjAyNC05NDc0CiAgIC0gYXR0YWNrLlQxNTk1CiAgIC0gYXR0YWNrLlQxMTkwCiAgIC0gY3dlLkNXRS03OAo=", + "description": "PanOS - Privilege Escalation (CVE-2024-9474)", + "author": "crowdsecurity", + "labels": { + "behavior": "http:exploit", + "classification": [ + "cve.CVE-2024-9474", + "attack.T1595", + "attack.T1190", + "cwe.CWE-78" + ], + "confidence": 3, + "label": "PanOS - Privilege Escalation (CVE-2024-9474)", + "service": "http", + "spoofable": 0, + "type": "exploit" + } + }, "crowdsecurity/vpatch-connectwise-auth-bypass": { "path": "appsec-rules/crowdsecurity/vpatch-connectwise-auth-bypass.yaml", "version": "0.3", @@ -3430,7 +3492,7 @@ }, "crowdsecurity/appsec-virtual-patching": { "path": "collections/crowdsecurity/appsec-virtual-patching.yaml", - "version": "4.4", + "version": "4.5", "versions": { "0.1": { "digest": "a165d638c8d826a932e4ca4e70ec5379d558a0bee1356e871c7c92cc2df714fc", @@ -3607,10 +3669,14 @@ "4.4": { "digest": "ba304a73baf21c9d547dbf7dbb7507173b3ad5ec139cbb762cb13fc78819278f", "deprecated": false + }, + "4.5": { + "digest": "702bce51ce84b376355b93e8accf3943b50007fcebcb3388eec8771806ba726b", + "deprecated": false } }, "long_description": "IyBBcHBTZWMgVmlydHVhbCBQYXRjaGluZwoKVGhpcyBjb2xsZWN0aW9uIGNvbnRhaW5zIHZpcnR1YWwgcGF0Y2hpbmcgZm9yIGNvbW1vbmx5IGV4cGxvaXRlZCB2dWxuZXJhYmlsaXRpZXMsIGFuZCBpcyBpbnNwaXJlZCBieSB0aGUgW0NJU0EgS25vd24gRXhwbG9pdGVkIFZ1bG5lcmFiaWxpdGllcyBDYXRhbG9nXShodHRwczovL3d3dy5jaXNhLmdvdi9rbm93bi1leHBsb2l0ZWQtdnVsbmVyYWJpbGl0aWVzLWNhdGFsb2cpLiBUaGUgZ29hbCBpcyB0byBwcm92aWRlIHZpcnR1YWwgcGF0Y2hpbmcgY2FwYWJpbGl0aWVzIGZvciB0aGUgbW9zdCBvZnRlbiBleHBsb2l0ZWQgdnVsbmVyYWJpbGl0aWVzLCBhdm9pZGluZyBmYWxzZSBwb3NpdGl2ZXMgd2hpbGUgY2F0Y2hpbmcgcGVvcGxlIHNjb3V0aW5nIHlvdXIgYXBwbGljYXRpb25zIGZvciBqdWljeSB2dWxuZXJhYmlsaXRpZXMuCg==", - "content": "YXBwc2VjLWNvbmZpZ3M6Ci0gY3Jvd2RzZWN1cml0eS92aXJ0dWFsLXBhdGNoaW5nCi0gY3Jvd2RzZWN1cml0eS9hcHBzZWMtZGVmYXVsdAphcHBzZWMtcnVsZXM6Ci0gY3Jvd2RzZWN1cml0eS9iYXNlLWNvbmZpZwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLWVudi1hY2Nlc3MKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00MDA0NAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE3LTk4NDEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMC0xMTczOAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTI3OTI2Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMzU5MTQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi00NjE2OQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIwMTk4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjI1MTUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zMzYxNwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTM0MzYyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzUxOQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTQyNzkzCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNTAxNjQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zODIwNQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTI0NDg5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjEtMzEyOQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIxLTIyOTQxCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTktMTI5ODkKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi00NDg3NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEwNTYyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNjU1MwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEwMDA4NjEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAxOS0xMDAzMDMwCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMjI5NjUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yMzc1MgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTQ5MDcwCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtbGFyYXZlbC1kZWJ1Zy1tb2RlCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjgxMjEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMC0xNzQ5NgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTEzODkKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy03MDI4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDY4MDUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yMzg5NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIyNTI3Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzUwNzgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zNTA4MgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTIyOTU0Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMTIxMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLXN5bWZvbnktcHJvZmlsZXIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1jb25uZWN0d2lzZS1hdXRoLWJ5cGFzcwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTIyMDI0Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjcxOTgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zMjczCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtNDU3NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI5ODQ5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDcyMTgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1naXQtY29uZmlnCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMzIxMTMKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zMjcyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjgyNTUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yOTgyNAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI3MzQ4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjAtNTkwMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEzMzc5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMjYxMzQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zNDEwMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI5OTczCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItNDEwODIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAxOS0xODkzNQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTgxOTAKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yODk4NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTM4ODU2Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTgtMjAwNjIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMS0yNjA4NgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTUxNTY3Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjc5NTYKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yNzk1NAphdXRob3I6IGNyb3dkc2VjdXJpdHkKY29udGV4dHM6Ci0gY3Jvd2RzZWN1cml0eS9hcHBzZWNfYmFzZQpkZXNjcmlwdGlvbjogYSBnZW5lcmljIHZpcnR1YWwgcGF0Y2hpbmcgY29sbGVjdGlvbiwgc3VpdGFibGUgZm9yIG1vc3Qgd2ViIHNlcnZlcnMuCm5hbWU6IGNyb3dkc2VjdXJpdHkvYXBwc2VjLXZpcnR1YWwtcGF0Y2hpbmcKcGFyc2VyczoKLSBjcm93ZHNlY3VyaXR5L2FwcHNlYy1sb2dzCnNjZW5hcmlvczoKLSBjcm93ZHNlY3VyaXR5L2FwcHNlYy12cGF0Y2gK", + "content": "YXBwc2VjLWNvbmZpZ3M6Ci0gY3Jvd2RzZWN1cml0eS92aXJ0dWFsLXBhdGNoaW5nCi0gY3Jvd2RzZWN1cml0eS9hcHBzZWMtZGVmYXVsdAphcHBzZWMtcnVsZXM6Ci0gY3Jvd2RzZWN1cml0eS9iYXNlLWNvbmZpZwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLWVudi1hY2Nlc3MKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00MDA0NAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE3LTk4NDEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMC0xMTczOAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTI3OTI2Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMzU5MTQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi00NjE2OQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIwMTk4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjI1MTUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zMzYxNwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTM0MzYyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzUxOQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTQyNzkzCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNTAxNjQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zODIwNQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTI0NDg5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjEtMzEyOQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIxLTIyOTQxCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTktMTI5ODkKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi00NDg3NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEwNTYyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNjU1MwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEwMDA4NjEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAxOS0xMDAzMDMwCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMjI5NjUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yMzc1MgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTQ5MDcwCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtbGFyYXZlbC1kZWJ1Zy1tb2RlCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjgxMjEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMC0xNzQ5NgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTEzODkKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy03MDI4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDY4MDUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yMzg5NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIyNTI3Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzUwNzgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zNTA4MgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTIyOTU0Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMTIxMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLXN5bWZvbnktcHJvZmlsZXIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1jb25uZWN0d2lzZS1hdXRoLWJ5cGFzcwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTIyMDI0Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjcxOTgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zMjczCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtNDU3NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI5ODQ5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDcyMTgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1naXQtY29uZmlnCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMzIxMTMKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zMjcyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjgyNTUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yOTgyNAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI3MzQ4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjAtNTkwMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEzMzc5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMjYxMzQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zNDEwMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI5OTczCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItNDEwODIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAxOS0xODkzNQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTgxOTAKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yODk4NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTM4ODU2Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTgtMjAwNjIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMS0yNjA4NgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTUxNTY3Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjc5NTYKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yNzk1NAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTAwMTIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC05NDc0CmF1dGhvcjogY3Jvd2RzZWN1cml0eQpjb250ZXh0czoKLSBjcm93ZHNlY3VyaXR5L2FwcHNlY19iYXNlCmRlc2NyaXB0aW9uOiBhIGdlbmVyaWMgdmlydHVhbCBwYXRjaGluZyBjb2xsZWN0aW9uLCBzdWl0YWJsZSBmb3IgbW9zdCB3ZWIgc2VydmVycy4KbmFtZTogY3Jvd2RzZWN1cml0eS9hcHBzZWMtdmlydHVhbC1wYXRjaGluZwpwYXJzZXJzOgotIGNyb3dkc2VjdXJpdHkvYXBwc2VjLWxvZ3MKc2NlbmFyaW9zOgotIGNyb3dkc2VjdXJpdHkvYXBwc2VjLXZwYXRjaAo=", "description": "a generic virtual patching collection, suitable for most web servers.", "author": "crowdsecurity", "labels": null, @@ -3689,7 +3755,9 @@ "crowdsecurity/vpatch-CVE-2021-26086", "crowdsecurity/vpatch-CVE-2024-51567", "crowdsecurity/vpatch-CVE-2024-27956", - "crowdsecurity/vpatch-CVE-2024-27954" + "crowdsecurity/vpatch-CVE-2024-27954", + "crowdsecurity/vpatch-CVE-2024-0012", + "crowdsecurity/vpatch-CVE-2024-9474" ], "appsec-configs": [ "crowdsecurity/virtual-patching", @@ -4300,7 +4368,7 @@ }, "crowdsecurity/http-cve": { "path": "collections/crowdsecurity/http-cve.yaml", - "version": "2.7", + "version": "2.9", "versions": { "0.1": { "digest": "30748e051a470c1bc91506ae63e8784cd054564f90ccc23eb655823fc30e3019", @@ -4409,10 +4477,18 @@ "2.7": { "digest": "b974f20dc2cf23c292eede422c1c6e0008297f8b3397e3851bb6a988866f3e34", "deprecated": false + }, + "2.8": { + "digest": "7c6a2ecd3b3d28164eb0212ea49e5ce23f35814ef0f6d8be5d8dab058b514083", + "deprecated": false + }, + "2.9": { + "digest": "4bd84ba53d1668df2bc2933f38f7d07322b6a68ea60907860a9b81bc1a497407", + "deprecated": false } }, "long_description": "CgpBIGNvbGxlY3Rpb24gdG8gZGV0ZWN0IGV4cGxvaXRhdGlvbiBvZiBzb21lIHNwZWNpZmljIGh0dHAgQ1ZFcy4KCldvcmtzIHdpdGggW2FwYWNoZTJdKGh0dHBzOi8vaHViLmNyb3dkc2VjLm5ldC9hdXRob3IvY3Jvd2RzZWN1cml0eS9jb2xsZWN0aW9ucy9hcGFjaGUyKSwgW25naW54XShodHRwczovL2h1Yi5jcm93ZHNlYy5uZXQvYXV0aG9yL2Nyb3dkc2VjdXJpdHkvY29sbGVjdGlvbnMvbmdpbngpLCBbdHJhZWZpa10oaHR0cHM6Ly9odWIuY3Jvd2RzZWMubmV0L2F1dGhvci9jcm93ZHNlY3VyaXR5L2NvbGxlY3Rpb25zL3RyYWVmaWspIGV0Yy4KCjp3YXJuaW5nOiBXaGlsZSB0aGlzIGNvbGxlY3Rpb24gaXMgZnJlcXVlbnRseSB1cGRhdGVkIHdpdGggdHJlbmRpbmcgQ1ZFcywgaXQgaXMgX25vdF8gYSBXQUYgYW5kIGRvZXMgX25vdF8gYWltcyBhdCByZXBsYWNpbmcgYSBXQUYuIEFzIHN1Y2gsIGFuIGF0dGFja2VyIG1pZ2h0IGJlIGFibGUgdG8gYnlwYXNzIHRob3NlIHNpZ25hdHVyZXMuCgogLSBbQXBhY2hlIENWRS0yMDIxLTQxNzczXShodHRwczovL2N2ZS5jaXJjbC5sdS9jdmUvQ1ZFLTIwMjEtNDE3NzMpCiAtIFtBcGFjaGUgQ1ZFLTIwMjEtNDIwMTNdKGh0dHBzOi8vY3ZlLmNpcmNsLmx1L2N2ZS9DVkUtMjAyMS00MjAxMykKIC0gW0dyYWZhbmEgQ1ZFLTIwMjEtNDM3OThdKGh0dHBzOi8vY3ZlLmNpcmNsLmx1L2N2ZS9DVkUtMjAyMS00Mzc5OCkKIC0gW0ZvcnRpbmV0IENWRS0yMDE4LTEzMzc5XShodHRwczovL2N2ZS5jaXJjbC5sdS9jdmUvQ1ZFLTIwMTgtMTMzNzkpCiAtIFtQdWxzZSBTZWN1cmUgQ1ZFLTIwMTktMTE1MTBdKGh0dHBzOi8vY3ZlLmNpcmNsLmx1L2N2ZS9DVkUtMjAxOS0xMTUxMCkKIC0gW0Y1IEJJRy1JUCBDVkUtMjAyMC01OTAyXShodHRwczovL2N2ZS5jaXJjbC5sdS9jdmUvQ1ZFLTIwMjAtNTkwMikKIC0gW1RoaW5rUEhQIENWRS0yMDE4LTIwMDYyXShodHRwczovL2N2ZS5jaXJjbC5sdS9jdmUvQ1ZFLTIwMTgtMjAwNjIpCiAtIFtBcGFjaGUgTG9nNGoyIENWRS0yMDIxLTQ0MjI4XShodHRwczovL2N2ZS5jaXJjbC5sdS9jdmUvQ1ZFLTIwMjEtNDQyMjgpCiAtIFtWTXdhcmUgVk1TQS0yMDIxLTAwMjddKGh0dHBzOi8vd3d3LnZtd2FyZS5jb20vc2VjdXJpdHkvYWR2aXNvcmllcy9WTVNBLTIwMjEtMDAyNy5odG1sKQogLSBbQXRsYXNzaWFuIEppcmEgQ1ZFLTIwMjEtMjYwODZdKGh0dHBzOi8vY3ZlLmNpcmNsLmx1L2N2ZS9DVkUtMjAyMS0yNjA4NikKIC0gW1NwcmluZzRTaGVsbCBDVkUtMjAyMi0yMjk2NV0oaHR0cHM6Ly9jdmUubWl0cmUub3JnL2NnaS1iaW4vY3ZlbmFtZS5jZ2k/bmFtZT1DVkUtMjAyMi0yMjk2NSkKIC0gW1ZNd2FyZSBDVkUtMjAyMi0yMjk1NF0oaHR0cHM6Ly93d3cudm13YXJlLmNvbS9zZWN1cml0eS9hZHZpc29yaWVzL1ZNU0EtMjAyMi0wMDExLmh0bWwpCiAtIFtaaW1icmEgQ1ZFLTIwMjItMzcwNDJdKGh0dHBzOi8vbnZkLm5pc3QuZ292L3Z1bG4vZGV0YWlsL0NWRS0yMDIyLTM3MDQyKQogLSBbTWljcm9zb2Z0IEV4Y2hhbmdlIENWRS0yMDIyLTQxMDgyXShodHRwczovL252ZC5uaXN0Lmdvdi92dWxuL2RldGFpbC9DVkUtMjAyMi00MTA4MikKIC0gW0dMUEkgQ1ZFLTIwMjItMzU5MTRdKGh0dHBzOi8vbnZkLm5pc3QuZ292L3Z1bG4vZGV0YWlsL0NWRS0yMDIyLTM1OTE0KQogLSBbRm9ydGluZXQgQ1ZFLTIwMjItNDA2ODRdKGh0dHBzOi8vd3d3Lmhvcml6b24zLmFpL2ZvcnRpb3MtZm9ydGlwcm94eS1hbmQtZm9ydGlzd2l0Y2htYW5hZ2VyLWF1dGhlbnRpY2F0aW9uLWJ5cGFzcy10ZWNobmljYWwtZGVlcC1kaXZlLWN2ZS0yMDIyLTQwNjg0LykKIC0gW0NvbmZsdWVuY2UgQ1ZFLTIwMjItMjYxMzRdKGh0dHBzOi8vY3ZlLm1pdHJlLm9yZy9jZ2ktYmluL2N2ZW5hbWUuY2dpP25hbWU9Q1ZFLTIwMjItMjYxMzQpCiAtIFtUZXh0NFNoZWxsIENWRS0yMDIyLTQyODg5XShodHRwczovL2N2ZS5taXRyZS5vcmcvY2dpLWJpbi9jdmVuYW1lLmNnaT9uYW1lPUNWRS0yMDIyLTQyODg5KQogLSBbR2hvc3QgQ01TIENWRS0yMDIyLTQxNjk3XShodHRwczovL252ZC5uaXN0Lmdvdi92dWxuL2RldGFpbC9DVkUtMjAyMi00MTY5NykKIC0gW0NhY3RpIENWRS0yMDIyLTQ2MTY5XShodHRwczovL252ZC5uaXN0Lmdvdi92dWxuL2RldGFpbC9DVkUtMjAyMi00NjE2OSkKIC0gW0NlbnRvcyBXZWIgUGFuZWwgNyBDVkUtMjAyMi00NDg3N10oaHR0cHM6Ly9udmQubmlzdC5nb3YvdnVsbi9kZXRhaWwvQ1ZFLTIwMjItNDQ4NzcpCiAtIFtUZWxlcmlrIFVJIENWRS0yMDE5LTE4OTM1XShodHRwczovL2N2ZS5taXRyZS5vcmcvY2dpLWJpbi9jdmVuYW1lLmNnaT9uYW1lPUNWRS0yMDE5LTE4OTM1KQogLSBbTmV0Z2VhciBER04xMDAwIC8gREdOMjIwMCBSZW1vdGUgQ29tbWFuZCBFeGVjdXRpb25dKGh0dHBzOi8vd3d3LmV4cGxvaXQtZGIuY29tL2V4cGxvaXRzLzI1OTc4KQogLSBbQ29uZmx1ZW5jZSBDVkUtMjAyMy0yMjUxNV0oaHR0cHM6Ly9jb25mbHVlbmNlLmF0bGFzc2lhbi5jb20vc2VjdXJpdHkvY3ZlLTIwMjMtMjI1MTUtcHJpdmlsZWdlLWVzY2FsYXRpb24tdnVsbmVyYWJpbGl0eS1pbi1jb25mbHVlbmNlLWRhdGEtY2VudGVyLWFuZC1zZXJ2ZXItMTI5NTY4MjI3Ni5odG1sKQogLSBbQ29uZmx1ZW5jZSBDVkUtMjAyMy0yMjUxOF0oaHR0cHM6Ly9jb25mbHVlbmNlLmF0bGFzc2lhbi5jb20vcGFnZXMvdmlld3BhZ2UuYWN0aW9uP3BhZ2VJZD0xMzExNDczOTA3KQogLSBbT3duY2xvdWQgQ1ZFLTIwMjMtNDkxMDNdKGh0dHBzOi8vbnZkLm5pc3QuZ292L3Z1bG4vZGV0YWlsL0NWRS0yMDIzLTQ5MTAzKQogLSBbUEhQIFVuaXR0ZXN0IEZyYW1ld29yayBDVkUtMjAxNy05ODQxXShodHRwczovL2N2ZS5jaXJjbC5sdS9jdmUvQ1ZFLTIwMTctOTg0MSkKIC0gW0FwYWNoZSBzb3VyY2UgZGlzY2xvc3VyZSBDVkUtMjAyNC0zODQ3NV0oaHR0cHM6Ly9jdmUuY2lyY2wubHUvY3ZlL0NWRS0yMDI0LTM4NDc1KQoKCgoK", - "content": "c2NlbmFyaW9zOgogIC0gY3Jvd2RzZWN1cml0eS9odHRwLWN2ZS0yMDIxLTQxNzczCiAgLSBjcm93ZHNlY3VyaXR5L2h0dHAtY3ZlLTIwMjEtNDIwMTMKICAtIGNyb3dkc2VjdXJpdHkvZ3JhZmFuYS1jdmUtMjAyMS00Mzc5OAogIC0gY3Jvd2RzZWN1cml0eS92bXdhcmUtdmNlbnRlci12bXNhLTIwMjEtMDAyNwogIC0gY3Jvd2RzZWN1cml0eS9mb3J0aW5ldC1jdmUtMjAxOC0xMzM3OQogIC0gY3Jvd2RzZWN1cml0eS9wdWxzZS1zZWN1cmUtc3NsdnBuLWN2ZS0yMDE5LTExNTEwCiAgLSBjcm93ZHNlY3VyaXR5L2Y1LWJpZy1pcC1jdmUtMjAyMC01OTAyCiAgLSBjcm93ZHNlY3VyaXR5L3RoaW5rcGhwLWN2ZS0yMDE4LTIwMDYyCiAgLSBjcm93ZHNlY3VyaXR5L2FwYWNoZV9sb2c0ajJfY3ZlLTIwMjEtNDQyMjgKICAtIGNyb3dkc2VjdXJpdHkvamlyYV9jdmUtMjAyMS0yNjA4NgogIC0gY3Jvd2RzZWN1cml0eS9zcHJpbmc0c2hlbGxfY3ZlLTIwMjItMjI5NjUKICAtIGNyb3dkc2VjdXJpdHkvdm13YXJlLWN2ZS0yMDIyLTIyOTU0CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTM3MDQyCiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTQxMDgyCiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTM1OTE0CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTQwNjg0CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTI2MTM0CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTQyODg5CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTQxNjk3CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTQ2MTY5CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTQ0ODc3CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDE5LTE4OTM1CiAgLSBjcm93ZHNlY3VyaXR5L25ldGdlYXJfcmNlCiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIzLTIyNTE1CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIzLTIyNTE4CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIzLTQ5MTAzCiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDE3LTk4NDEKICAtIGNyb3dkc2VjdXJpdHkvQ1ZFLTIwMjQtMzg0NzUKYXV0aG9yOiBjcm93ZHNlY3VyaXR5CmRlc2NyaXB0aW9uOiAiRGV0ZWN0IENWRSBleHBsb2l0YXRpb24gaW4gaHR0cCBsb2dzIgp0YWdzOgogIC0gd2ViCiAgLSBleHBsb2l0CiAgLSBjdmUKICAtIGh0dHAK", + "content": "c2NlbmFyaW9zOgogIC0gY3Jvd2RzZWN1cml0eS9odHRwLWN2ZS0yMDIxLTQxNzczCiAgLSBjcm93ZHNlY3VyaXR5L2h0dHAtY3ZlLTIwMjEtNDIwMTMKICAtIGNyb3dkc2VjdXJpdHkvZ3JhZmFuYS1jdmUtMjAyMS00Mzc5OAogIC0gY3Jvd2RzZWN1cml0eS92bXdhcmUtdmNlbnRlci12bXNhLTIwMjEtMDAyNwogIC0gY3Jvd2RzZWN1cml0eS9mb3J0aW5ldC1jdmUtMjAxOC0xMzM3OQogIC0gY3Jvd2RzZWN1cml0eS9wdWxzZS1zZWN1cmUtc3NsdnBuLWN2ZS0yMDE5LTExNTEwCiAgLSBjcm93ZHNlY3VyaXR5L2Y1LWJpZy1pcC1jdmUtMjAyMC01OTAyCiAgLSBjcm93ZHNlY3VyaXR5L3RoaW5rcGhwLWN2ZS0yMDE4LTIwMDYyCiAgLSBjcm93ZHNlY3VyaXR5L2FwYWNoZV9sb2c0ajJfY3ZlLTIwMjEtNDQyMjgKICAtIGNyb3dkc2VjdXJpdHkvamlyYV9jdmUtMjAyMS0yNjA4NgogIC0gY3Jvd2RzZWN1cml0eS9zcHJpbmc0c2hlbGxfY3ZlLTIwMjItMjI5NjUKICAtIGNyb3dkc2VjdXJpdHkvdm13YXJlLWN2ZS0yMDIyLTIyOTU0CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTM3MDQyCiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTQxMDgyCiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTM1OTE0CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTQwNjg0CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTI2MTM0CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTQyODg5CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTQxNjk3CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTQ2MTY5CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTQ0ODc3CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDE5LTE4OTM1CiAgLSBjcm93ZHNlY3VyaXR5L25ldGdlYXJfcmNlCiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIzLTIyNTE1CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIzLTIyNTE4CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIzLTQ5MTAzCiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDE3LTk4NDEKICAtIGNyb3dkc2VjdXJpdHkvQ1ZFLTIwMjQtMzg0NzUKICAtIGNyb3dkc2VjdXJpdHkvQ1ZFLTIwMjQtMDAxMgogIC0gY3Jvd2RzZWN1cml0eS9DVkUtMjAyNC05NDc0CmF1dGhvcjogY3Jvd2RzZWN1cml0eQpkZXNjcmlwdGlvbjogIkRldGVjdCBDVkUgZXhwbG9pdGF0aW9uIGluIGh0dHAgbG9ncyIKdGFnczoKICAtIHdlYgogIC0gZXhwbG9pdAogIC0gY3ZlCiAgLSBodHRwCg==", "description": "Detect CVE exploitation in http logs", "author": "crowdsecurity", "labels": null, @@ -4444,7 +4520,9 @@ "crowdsecurity/CVE-2023-22518", "crowdsecurity/CVE-2023-49103", "crowdsecurity/CVE-2017-9841", - "crowdsecurity/CVE-2024-38475" + "crowdsecurity/CVE-2024-38475", + "crowdsecurity/CVE-2024-0012", + "crowdsecurity/CVE-2024-9474" ] }, "crowdsecurity/http-dos": { @@ -11245,6 +11323,34 @@ "spoofable": 0 } }, + "crowdsecurity/CVE-2024-0012": { + "path": "scenarios/crowdsecurity/CVE-2024-0012.yaml", + "version": "0.1", + "versions": { + "0.1": { + "digest": "b955db04131ef84d41a65adb63da9bea950847ff3380be449777161fda7a96e7", + "deprecated": false + } + }, + "long_description": "RGV0ZWN0IGV4cGxvaXRhdGlvbiBvZiBQYW5PUyBDVkUtMjAyNC0wMDEyCgpSZWY6IGh0dHBzOi8vbGFicy53YXRjaHRvd3IuY29tL3BvdHMtYW5kLXBhbnMtYWthLWFuLXNzbHZwbi1wYWxvLWFsdG8tcGFuLW9zLWN2ZS0yMDI0LTAwMTItYW5kLWN2ZS0yMDI0LTk0NzQvCg==", + "content": "dHlwZTogdHJpZ2dlcgpmb3JtYXQ6IDIuMApuYW1lOiBjcm93ZHNlY3VyaXR5L0NWRS0yMDI0LTAwMTIKZGVzY3JpcHRpb246ICJEZXRlY3QgQ1ZFLTIwMjQtMDAxMiBleHBsb2l0YXRpb24gYXR0ZW1wdHMiCmZpbHRlcjogfAogIGxldCByZXF1ZXN0ID0gTG93ZXIoZXZ0LlBhcnNlZC5yZXF1ZXN0KTsKICBldnQuTWV0YS5sb2dfdHlwZSBpbiBbJ2h0dHBfYWNjZXNzLWxvZycsICdodHRwX2Vycm9yLWxvZyddICYmIAogIGV2dC5NZXRhLmh0dHBfc3RhdHVzIGluIFsnNDA0JywgJzQwMyddICYmCiAgKHJlcXVlc3QgbWF0Y2hlcyAnL3BocC8uKi9cXC5qc1xcLm1hcCcgfHwgcmVxdWVzdCBtYXRjaGVzICcvaW5kZXgucGhwLy4qXFwuanNcXC5tYXAnKQpncm91cGJ5OiAiZXZ0Lk1ldGEuc291cmNlX2lwIgpibGFja2hvbGU6IDJtCmxhYmVsczoKICB0eXBlOiBleHBsb2l0CiAgcmVtZWRpYXRpb246IHRydWUKICBjbGFzc2lmaWNhdGlvbjoKICAgIC0gYXR0YWNrLlQxNTk1CiAgICAtIGF0dGFjay5UMTE5MAogICAgLSBjdmUuQ1ZFLTIwMjQtMDAxMgogIGNvbmZpZGVuY2U6IDMKICBzcG9vZmFibGU6IDAKICBiZWhhdmlvcjogImh0dHA6ZXhwbG9pdCIKICBsYWJlbDogIkNWRS0yMDI0LTAwMTIiCiAgc2VydmljZTogcGFub3MK", + "description": "Detect CVE-2024-0012 exploitation attempts", + "author": "crowdsecurity", + "labels": { + "behavior": "http:exploit", + "classification": [ + "attack.T1595", + "attack.T1190", + "cve.CVE-2024-0012" + ], + "confidence": 3, + "label": "CVE-2024-0012", + "remediation": true, + "service": "panos", + "spoofable": 0, + "type": "exploit" + } + }, "crowdsecurity/CVE-2024-38475": { "path": "scenarios/crowdsecurity/CVE-2024-38475.yaml", "version": "0.1", @@ -11273,6 +11379,34 @@ "type": "exploit" } }, + "crowdsecurity/CVE-2024-9474": { + "path": "scenarios/crowdsecurity/CVE-2024-9474.yaml", + "version": "0.1", + "versions": { + "0.1": { + "digest": "940674a85da7a2526655fe902d8b5e197ad9048d2a09cd8132e6115cfd5d2fcf", + "deprecated": false + } + }, + "long_description": "RGV0ZWN0IGV4cGxvaXRhdGlvbiBvZiBQYW5PUyBDVkUtMjAyNC05NDc0CgpSZWY6IGh0dHBzOi8vbGFicy53YXRjaHRvd3IuY29tL3BvdHMtYW5kLXBhbnMtYWthLWFuLXNzbHZwbi1wYWxvLWFsdG8tcGFuLW9zLWN2ZS0yMDI0LTAwMTItYW5kLWN2ZS0yMDI0LTk0NzQvCg==", + "content": "dHlwZTogdHJpZ2dlcgpmb3JtYXQ6IDIuMApuYW1lOiBjcm93ZHNlY3VyaXR5L0NWRS0yMDI0LTk0NzQKZGVzY3JpcHRpb246ICJEZXRlY3QgQ1ZFLTIwMjQtOTQ3NCBleHBsb2l0YXRpb24gYXR0ZW1wdHMiCmZpbHRlcjogfAogIGxldCByZXF1ZXN0ID0gTG93ZXIoZXZ0LlBhcnNlZC5yZXF1ZXN0KTsKICBldnQuTWV0YS5sb2dfdHlwZSBpbiBbJ2h0dHBfYWNjZXNzLWxvZycsICdodHRwX2Vycm9yLWxvZyddICYmIAogIGV2dC5NZXRhLmh0dHBfc3RhdHVzIGluIFsnNDA0JywgJzQwMyddICYmCiAgZXZ0Lk1ldGEuaHR0cF92ZXJiID09ICdQT1NUJyAmJgogIHJlcXVlc3QgY29udGFpbnMgJy9waHAvdXRpbHMvY3JlYXRlcmVtb3RlYXBwd2Vic2Vzc2lvbi5waHAvd2F0Y2h0b3dyLmpzLm1hcCcKZ3JvdXBieTogImV2dC5NZXRhLnNvdXJjZV9pcCIKYmxhY2tob2xlOiAybQpsYWJlbHM6CiAgdHlwZTogZXhwbG9pdAogIHJlbWVkaWF0aW9uOiB0cnVlCiAgY2xhc3NpZmljYXRpb246CiAgICAtIGF0dGFjay5UMTU5NQogICAgLSBhdHRhY2suVDExOTAKICAgIC0gY3ZlLkNWRS0yMDI0LTk0NzQKICBjb25maWRlbmNlOiAzCiAgc3Bvb2ZhYmxlOiAwCiAgYmVoYXZpb3I6ICJodHRwOmV4cGxvaXQiCiAgbGFiZWw6ICJDVkUtMjAyNC05NDc0IgogIHNlcnZpY2U6IHBhbm9zCg==", + "description": "Detect CVE-2024-9474 exploitation attempts", + "author": "crowdsecurity", + "labels": { + "behavior": "http:exploit", + "classification": [ + "attack.T1595", + "attack.T1190", + "cve.CVE-2024-9474" + ], + "confidence": 3, + "label": "CVE-2024-9474", + "remediation": true, + "service": "panos", + "spoofable": 0, + "type": "exploit" + } + }, "crowdsecurity/amavis-blocked": { "path": "scenarios/crowdsecurity/amavis-blocked.yaml", "version": "0.1", diff --git a/.tests/CVE-2024-0012/CVE-2024-0012.log b/.tests/CVE-2024-0012/CVE-2024-0012.log new file mode 100644 index 00000000000..c6a02650dc6 --- /dev/null +++ b/.tests/CVE-2024-0012/CVE-2024-0012.log @@ -0,0 +1,2 @@ +10.0.0.1 - - [20/Nov/2024:04:13:06 +0000] "GET /index.php/.js.map HTTP/1.1" 404 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" "-" +10.0.0.2 - - [20/Nov/2024:04:13:06 +0000] "GET /php/ztp_gate.php/.js.map HTTP/1.1" 404 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" "-" diff --git a/.tests/CVE-2024-0012/config.yaml b/.tests/CVE-2024-0012/config.yaml new file mode 100644 index 00000000000..8d3229770b4 --- /dev/null +++ b/.tests/CVE-2024-0012/config.yaml @@ -0,0 +1,11 @@ +parsers: + - crowdsecurity/nginx-logs + - crowdsecurity/syslog-logs + - crowdsecurity/dateparse-enrich +scenarios: + - ./scenarios/crowdsecurity/CVE-2024-0012.yaml +postoverflows: + - "" +log_file: CVE-2024-0012.log +log_type: nginx +ignore_parsers: true diff --git a/.tests/CVE-2024-0012/parser.assert b/.tests/CVE-2024-0012/parser.assert new file mode 100644 index 00000000000..e69de29bb2d diff --git a/.tests/CVE-2024-0012/scenario.assert b/.tests/CVE-2024-0012/scenario.assert new file mode 100644 index 00000000000..62b81cb03d1 --- /dev/null +++ b/.tests/CVE-2024-0012/scenario.assert @@ -0,0 +1,37 @@ +len(results) == 2 +"10.0.0.2" in results[0].Overflow.GetSources() +results[0].Overflow.Sources["10.0.0.2"].IP == "10.0.0.2" +results[0].Overflow.Sources["10.0.0.2"].Range == "" +results[0].Overflow.Sources["10.0.0.2"].GetScope() == "Ip" +results[0].Overflow.Sources["10.0.0.2"].GetValue() == "10.0.0.2" +results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "CVE-2024-0012.log" +results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[0].GetMeta("http_path") == "/php/ztp_gate.php/.js.map" +results[0].Overflow.Alert.Events[0].GetMeta("http_status") == "404" +results[0].Overflow.Alert.Events[0].GetMeta("http_user_agent") == "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" +results[0].Overflow.Alert.Events[0].GetMeta("http_verb") == "GET" +results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "http_access-log" +results[0].Overflow.Alert.Events[0].GetMeta("service") == "http" +results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "10.0.0.2" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-11-20T04:13:06Z" +results[0].Overflow.Alert.GetScenario() == "crowdsecurity/CVE-2024-0012" +results[0].Overflow.Alert.Remediation == true +results[0].Overflow.Alert.GetEventsCount() == 1 +"10.0.0.1" in results[1].Overflow.GetSources() +results[1].Overflow.Sources["10.0.0.1"].IP == "10.0.0.1" +results[1].Overflow.Sources["10.0.0.1"].Range == "" +results[1].Overflow.Sources["10.0.0.1"].GetScope() == "Ip" +results[1].Overflow.Sources["10.0.0.1"].GetValue() == "10.0.0.1" +results[1].Overflow.Alert.Events[0].GetMeta("datasource_path") == "CVE-2024-0012.log" +results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[1].Overflow.Alert.Events[0].GetMeta("http_path") == "/index.php/.js.map" +results[1].Overflow.Alert.Events[0].GetMeta("http_status") == "404" +results[1].Overflow.Alert.Events[0].GetMeta("http_user_agent") == "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" +results[1].Overflow.Alert.Events[0].GetMeta("http_verb") == "GET" +results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "http_access-log" +results[1].Overflow.Alert.Events[0].GetMeta("service") == "http" +results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "10.0.0.1" +results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-11-20T04:13:06Z" +results[1].Overflow.Alert.GetScenario() == "crowdsecurity/CVE-2024-0012" +results[1].Overflow.Alert.Remediation == true +results[1].Overflow.Alert.GetEventsCount() == 1 \ No newline at end of file diff --git a/.tests/CVE-2024-9474/CVE-2024-9474.log b/.tests/CVE-2024-9474/CVE-2024-9474.log new file mode 100644 index 00000000000..d68bc63d71e --- /dev/null +++ b/.tests/CVE-2024-9474/CVE-2024-9474.log @@ -0,0 +1 @@ +10.0.0.1 - - [20/Nov/2024:04:13:06 +0000] "POST /php/utils/createRemoteAppwebSession.php/watchTowr.js.map HTTP/1.1" 404 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" "-" diff --git a/.tests/CVE-2024-9474/config.yaml b/.tests/CVE-2024-9474/config.yaml new file mode 100644 index 00000000000..d0c8f2b3ba6 --- /dev/null +++ b/.tests/CVE-2024-9474/config.yaml @@ -0,0 +1,11 @@ +parsers: + - crowdsecurity/nginx-logs + - crowdsecurity/syslog-logs + - crowdsecurity/dateparse-enrich +scenarios: + - ./scenarios/crowdsecurity/CVE-2024-9474.yaml +postoverflows: + - "" +log_file: CVE-2024-9474.log +log_type: nginx +ignore_parsers: true diff --git a/.tests/CVE-2024-9474/parser.assert b/.tests/CVE-2024-9474/parser.assert new file mode 100644 index 00000000000..e69de29bb2d diff --git a/.tests/CVE-2024-9474/scenario.assert b/.tests/CVE-2024-9474/scenario.assert new file mode 100644 index 00000000000..9e1e87f64d8 --- /dev/null +++ b/.tests/CVE-2024-9474/scenario.assert @@ -0,0 +1,19 @@ +len(results) == 1 +"10.0.0.1" in results[0].Overflow.GetSources() +results[0].Overflow.Sources["10.0.0.1"].IP == "10.0.0.1" +results[0].Overflow.Sources["10.0.0.1"].Range == "" +results[0].Overflow.Sources["10.0.0.1"].GetScope() == "Ip" +results[0].Overflow.Sources["10.0.0.1"].GetValue() == "10.0.0.1" +results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "CVE-2024-9474.log" +results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[0].GetMeta("http_path") == "/php/utils/createRemoteAppwebSession.php/watchTowr.js.map" +results[0].Overflow.Alert.Events[0].GetMeta("http_status") == "404" +results[0].Overflow.Alert.Events[0].GetMeta("http_user_agent") == "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" +results[0].Overflow.Alert.Events[0].GetMeta("http_verb") == "POST" +results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "http_access-log" +results[0].Overflow.Alert.Events[0].GetMeta("service") == "http" +results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "10.0.0.1" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-11-20T04:13:06Z" +results[0].Overflow.Alert.GetScenario() == "crowdsecurity/CVE-2024-9474" +results[0].Overflow.Alert.Remediation == true +results[0].Overflow.Alert.GetEventsCount() == 1 \ No newline at end of file diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2024-0012.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2024-0012.yaml new file mode 100644 index 00000000000..6aeab33c4a2 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2024-0012.yaml @@ -0,0 +1,26 @@ + +name: crowdsecurity/vpatch-CVE-2024-0012 +description: "PanOS - Authentication Bypass (CVE-2024-0012)" +rules: + - and: + - zones: + - HEADERS + variables: + - x-pan-authcheck + transform: + - lowercase + match: + type: equals + value: off +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: "http:exploit" + label: "PanOS - Authentication Bypass" + classification: + - cve.CVE-2024-0012 + - attack.T1595 + - attack.T1190 + - cwe.CWE-306 \ No newline at end of file diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2024-9474.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2024-9474.yaml new file mode 100644 index 00000000000..a2972ba3041 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2024-9474.yaml @@ -0,0 +1,45 @@ + +name: crowdsecurity/vpatch-CVE-2024-9474 +description: "PanOS - Privilege Escalation (CVE-2024-9474)" +rules: + - and: + - zones: + - METHOD + match: + type: equals + value: POST + - zones: + - URI + transform: + - lowercase + match: + type: contains + value: /php/utils/createremoteappwebsession.php/ + - zones: + - URI + transform: + - lowercase + match: + type: endsWith + value: .js.map + - zones: + - BODY_ARGS + variables: + - user + transform: + - lowercase + match: + type: regex + value: "[$;|&`>]" +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: "http:exploit" + label: "PanOS - Privilege Escalation (CVE-2024-9474)" + classification: + - cve.CVE-2024-9474 + - attack.T1595 + - attack.T1190 + - cwe.CWE-78 diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index 6b9c79d9258..7b9b3d2cac5 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -71,6 +71,8 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2024-51567 - crowdsecurity/vpatch-CVE-2024-27956 - crowdsecurity/vpatch-CVE-2024-27954 +- crowdsecurity/vpatch-CVE-2024-0012 +- crowdsecurity/vpatch-CVE-2024-9474 author: crowdsecurity contexts: - crowdsecurity/appsec_base diff --git a/collections/crowdsecurity/http-cve.yaml b/collections/crowdsecurity/http-cve.yaml index 11db317ac51..5ba3e7c5ce7 100644 --- a/collections/crowdsecurity/http-cve.yaml +++ b/collections/crowdsecurity/http-cve.yaml @@ -27,6 +27,8 @@ scenarios: - crowdsecurity/CVE-2023-49103 - crowdsecurity/CVE-2017-9841 - crowdsecurity/CVE-2024-38475 + - crowdsecurity/CVE-2024-0012 + - crowdsecurity/CVE-2024-9474 author: crowdsecurity description: "Detect CVE exploitation in http logs" tags: diff --git a/scenarios/crowdsecurity/CVE-2024-0012.md b/scenarios/crowdsecurity/CVE-2024-0012.md new file mode 100644 index 00000000000..24e44b92cca --- /dev/null +++ b/scenarios/crowdsecurity/CVE-2024-0012.md @@ -0,0 +1,3 @@ +Detect exploitation of PanOS CVE-2024-0012 + +Ref: https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/ diff --git a/scenarios/crowdsecurity/CVE-2024-0012.yaml b/scenarios/crowdsecurity/CVE-2024-0012.yaml new file mode 100644 index 00000000000..4d5c7757c93 --- /dev/null +++ b/scenarios/crowdsecurity/CVE-2024-0012.yaml @@ -0,0 +1,23 @@ +type: trigger +format: 2.0 +name: crowdsecurity/CVE-2024-0012 +description: "Detect CVE-2024-0012 exploitation attempts" +filter: | + let request = Lower(evt.Parsed.request); + evt.Meta.log_type in ['http_access-log', 'http_error-log'] && + evt.Meta.http_status in ['404', '403'] && + (request matches '/php/.*/\\.js\\.map' || request matches '/index.php/.*\\.js\\.map') +groupby: "evt.Meta.source_ip" +blackhole: 2m +labels: + type: exploit + remediation: true + classification: + - attack.T1595 + - attack.T1190 + - cve.CVE-2024-0012 + confidence: 3 + spoofable: 0 + behavior: "http:exploit" + label: "CVE-2024-0012" + service: panos diff --git a/scenarios/crowdsecurity/CVE-2024-9474.md b/scenarios/crowdsecurity/CVE-2024-9474.md new file mode 100644 index 00000000000..35da4ed152f --- /dev/null +++ b/scenarios/crowdsecurity/CVE-2024-9474.md @@ -0,0 +1,3 @@ +Detect exploitation of PanOS CVE-2024-9474 + +Ref: https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/ diff --git a/scenarios/crowdsecurity/CVE-2024-9474.yaml b/scenarios/crowdsecurity/CVE-2024-9474.yaml new file mode 100644 index 00000000000..57d675408ee --- /dev/null +++ b/scenarios/crowdsecurity/CVE-2024-9474.yaml @@ -0,0 +1,24 @@ +type: trigger +format: 2.0 +name: crowdsecurity/CVE-2024-9474 +description: "Detect CVE-2024-9474 exploitation attempts" +filter: | + let request = Lower(evt.Parsed.request); + evt.Meta.log_type in ['http_access-log', 'http_error-log'] && + evt.Meta.http_status in ['404', '403'] && + evt.Meta.http_verb == 'POST' && + request contains '/php/utils/createremoteappwebsession.php/watchtowr.js.map' +groupby: "evt.Meta.source_ip" +blackhole: 2m +labels: + type: exploit + remediation: true + classification: + - attack.T1595 + - attack.T1190 + - cve.CVE-2024-9474 + confidence: 3 + spoofable: 0 + behavior: "http:exploit" + label: "CVE-2024-9474" + service: panos diff --git a/taxonomy/scenarios.json b/taxonomy/scenarios.json index be05b77b5ab..b574872c6d6 100644 --- a/taxonomy/scenarios.json +++ b/taxonomy/scenarios.json @@ -1160,6 +1160,28 @@ "CVE-2023-7028" ] }, + "crowdsecurity/vpatch-CVE-2024-0012": { + "name": "crowdsecurity/vpatch-CVE-2024-0012", + "description": "PanOS - Authentication Bypass (CVE-2024-0012)", + "label": "PanOS - Authentication Bypass", + "behaviors": [ + "http:exploit" + ], + "mitre_attacks": [ + "TA0043:T1595", + "TA0001:T1190" + ], + "confidence": 3, + "spoofable": 0, + "cti": true, + "service": "http", + "cves": [ + "CVE-2024-0012" + ], + "cwes": [ + "CWE-306" + ] + }, "crowdsecurity/vpatch-CVE-2024-1061": { "name": "crowdsecurity/vpatch-CVE-2024-1061", "description": "WordPress HTML5 Video Player - SQL Injection (CVE-2024-1061)", @@ -1639,6 +1661,28 @@ "CWE-78" ] }, + "crowdsecurity/vpatch-CVE-2024-9474": { + "name": "crowdsecurity/vpatch-CVE-2024-9474", + "description": "PanOS - Privilege Escalation (CVE-2024-9474)", + "label": "PanOS - Privilege Escalation (CVE-2024-9474)", + "behaviors": [ + "http:exploit" + ], + "mitre_attacks": [ + "TA0043:T1595", + "TA0001:T1190" + ], + "confidence": 3, + "spoofable": 0, + "cti": true, + "service": "http", + "cves": [ + "CVE-2024-9474" + ], + "cwes": [ + "CWE-78" + ] + }, "crowdsecurity/vpatch-connectwise-auth-bypass": { "name": "crowdsecurity/vpatch-connectwise-auth-bypass", "description": "Detect exploitation of auth bypass in ConnectWise ScreenConnect", @@ -2739,6 +2783,25 @@ "cti": true, "service": "linux" }, + "crowdsecurity/CVE-2024-0012": { + "name": "crowdsecurity/CVE-2024-0012", + "description": "Detect CVE-2024-0012 exploitation attempts", + "label": "CVE-2024-0012", + "behaviors": [ + "http:exploit" + ], + "mitre_attacks": [ + "TA0043:T1595", + "TA0001:T1190" + ], + "confidence": 3, + "spoofable": 0, + "cti": true, + "service": "panos", + "cves": [ + "CVE-2024-0012" + ] + }, "crowdsecurity/CVE-2024-38475": { "name": "crowdsecurity/CVE-2024-38475", "description": "Detect CVE-2024-38475 exploitation attempts", @@ -2758,6 +2821,25 @@ "CVE-2024-38475" ] }, + "crowdsecurity/CVE-2024-9474": { + "name": "crowdsecurity/CVE-2024-9474", + "description": "Detect CVE-2024-9474 exploitation attempts", + "label": "CVE-2024-9474", + "behaviors": [ + "http:exploit" + ], + "mitre_attacks": [ + "TA0043:T1595", + "TA0001:T1190" + ], + "confidence": 3, + "spoofable": 0, + "cti": true, + "service": "panos", + "cves": [ + "CVE-2024-9474" + ] + }, "crowdsecurity/amavis-blocked": { "name": "crowdsecurity/amavis-blocked", "description": "Ban IPs that are blocked by amavis",