Add vpatch-CVE-2018-1207 rule and test #1492
Conversation
|
Hello @crowdsec-automation and thank you for your contribution! ❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection: 🔴 crowdsecurity/vpatch-CVE-2018-1207 🔴 |
|
Hello @crowdsec-automation, Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution! |
|
Hello @buixor, ✅ The new VPATCH Rule is compliant, thank you for your contribution! |
|
Hello @buixor, Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution! |
|
Hello @buixor and thank you for your contribution! ❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection: 🔴 crowdsecurity/vpatch-CVE-2023-0600 🔴 |
|
Hello @buixor, Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution! |
|
Hello @buixor and thank you for your contribution! ❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection: 🔴 crowdsecurity/vpatch-CVE-2023-0600 🔴 |
|
Hello @buixor, Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution! |
This rule detects exploitation attempts for CVE-2018-1207, a remote code injection vulnerability in Dell iDRAC7/8 devices. The attack is performed by passing the
LD_DEBUGenvironment variable as a CGI parameter to/cgi-bin/login. The rule matches requests where the URI contains/cgi-bin/login(case-insensitive) and where any argument name containsld_debug(case-insensitive). This approach is robust and minimizes false positives by focusing on the specific attack vector. The test configuration ensures the rule is loaded, and the nuclei test checks for a 403 response, indicating the WAF blocked the exploit attempt.Validation checklist:
value:fields are lowercase.transformincludeslowercasewhere applicable.match.valuecontains capital letters.containsinstead ofregexwhere applicable.