enhance: Add CVE-2024-5910

.appsec-tests/vpatch-CVE-2024-5910/config.yaml

@@ -0,0 +1,4 @@
+appsec-rules:
+    - ./appsec-rules/crowdsecurity/base-config.yaml
+    - ./appsec-rules/crowdsecurity/vpatch-CVE-2024-5910.yaml
+nuclei_template: vpatch-CVE-2024-5910.yaml

.appsec-tests/vpatch-CVE-2024-5910/vpatch-CVE-2024-5910.yaml

@@ -0,0 +1,19 @@
+id: vpatch-CVE-2024-5910
+info:
+  name: vpatch-CVE-2024-5910
+  author: crowdsec
+  severity: info
+  description: vpatch-CVE-2024-5910 testing
+  tags: appsec-testing
+http:
+#this is a dummy request, edit the request(s) to match your needs
+  - raw:
+    - |
+      POST /OS/startup/restore/restoreAdmin.php HTTP/1.1
+      Host: {{Hostname}}
+
+#test will fail because we won't match http status 
+    matchers:
+    - type: status
+      status:
+       - 403

appsec-rules/crowdsecurity/vpatch-CVE-2024-5910.yaml

@@ -0,0 +1,30 @@
+
+name: crowdsecurity/vpatch-CVE-2024-5910
+description: "Palo Alto Admin Reset (CVE-2024-5910)"
+rules:
+  - and:
+    - zones:
+      - METHOD
+      match:
+        type: equals
+        value: POST
+    - zones:
+      - URI
+      transform:
+      - lowercase
+      match:
+        type: contains
+        value: /os/startup/restore/restoreadmin.php
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: "http:exploit"
+  label: "Palo Alto Admin Reset"
+  classification:
+   - cve.CVE-2024-5910
+   - attack.T1595
+   - attack.T1190
+   - cwe.CWE-306
+   - cwe.CWE-276

collections/crowdsecurity/appsec-virtual-patching.yaml

@@ -71,6 +71,7 @@ appsec-rules:
 - crowdsecurity/vpatch-CVE-2024-51567
 - crowdsecurity/vpatch-CVE-2024-27956
 - crowdsecurity/vpatch-CVE-2024-27954
+- crowdsecurity/vpatch-CVE-2024-5910
 author: crowdsecurity
 contexts:
 - crowdsecurity/appsec_base