From 82f63056761cb8ee56b70d117e8d951a55232119 Mon Sep 17 00:00:00 2001 From: Laurence Date: Wed, 20 Nov 2024 10:09:27 +0000 Subject: [PATCH] enhance: Add CVE-2024-5910 --- .../vpatch-CVE-2024-5910/config.yaml | 4 +++ .../vpatch-CVE-2024-5910.yaml | 19 ++++++++++++ .../crowdsecurity/vpatch-CVE-2024-5910.yaml | 30 +++++++++++++++++++ .../appsec-virtual-patching.yaml | 1 + 4 files changed, 54 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2024-5910/config.yaml create mode 100755 .appsec-tests/vpatch-CVE-2024-5910/vpatch-CVE-2024-5910.yaml create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2024-5910.yaml diff --git a/.appsec-tests/vpatch-CVE-2024-5910/config.yaml b/.appsec-tests/vpatch-CVE-2024-5910/config.yaml new file mode 100644 index 00000000000..f5d86240e90 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2024-5910/config.yaml @@ -0,0 +1,4 @@ +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2024-5910.yaml +nuclei_template: vpatch-CVE-2024-5910.yaml diff --git a/.appsec-tests/vpatch-CVE-2024-5910/vpatch-CVE-2024-5910.yaml b/.appsec-tests/vpatch-CVE-2024-5910/vpatch-CVE-2024-5910.yaml new file mode 100755 index 00000000000..7669de959cc --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2024-5910/vpatch-CVE-2024-5910.yaml @@ -0,0 +1,19 @@ +id: vpatch-CVE-2024-5910 +info: + name: vpatch-CVE-2024-5910 + author: crowdsec + severity: info + description: vpatch-CVE-2024-5910 testing + tags: appsec-testing +http: +#this is a dummy request, edit the request(s) to match your needs + - raw: + - | + POST /OS/startup/restore/restoreAdmin.php HTTP/1.1 + Host: {{Hostname}} + +#test will fail because we won't match http status + matchers: + - type: status + status: + - 403 diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2024-5910.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2024-5910.yaml new file mode 100644 index 00000000000..54f9f8e2af2 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2024-5910.yaml @@ -0,0 +1,30 @@ + +name: crowdsecurity/vpatch-CVE-2024-5910 +description: "Palo Alto Admin Reset (CVE-2024-5910)" +rules: + - and: + - zones: + - METHOD + match: + type: equals + value: POST + - zones: + - URI + transform: + - lowercase + match: + type: contains + value: /os/startup/restore/restoreadmin.php +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: "http:exploit" + label: "Palo Alto Admin Reset" + classification: + - cve.CVE-2024-5910 + - attack.T1595 + - attack.T1190 + - cwe.CWE-306 + - cwe.CWE-276 \ No newline at end of file diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index 6b9c79d9258..24c5a7ed9a4 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -71,6 +71,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2024-51567 - crowdsecurity/vpatch-CVE-2024-27956 - crowdsecurity/vpatch-CVE-2024-27954 +- crowdsecurity/vpatch-CVE-2024-5910 author: crowdsecurity contexts: - crowdsecurity/appsec_base