Skip to content

Commit

Permalink
CVE 2024 7593 (#1167)
Browse files Browse the repository at this point in the history 
* vpatch-CVE-2024-7593
  • Loading branch information
@Dewwi
Dewwi authored Nov 20, 2024
1 parent 157cf65 commit c63cecb
Show file tree
Hide file tree
Showing 6 changed files with 161 additions and 3 deletions.
5 changes: 5 additions & 0 deletions .appsec-tests/vpatch-CVE-2024-7593/config.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@

appsec-rules:
- ./appsec-rules/crowdsecurity/base-config.yaml
- ./appsec-rules/crowdsecurity/vpatch-CVE-2024-7593.yaml
nuclei_template: test-CVE-2024-7593.yaml
22 changes: 22 additions & 0 deletions .appsec-tests/vpatch-CVE-2024-7593/test-CVE-2024-7593.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@

id: test-CVE-2024-7593
info:
name: test-CVE-2024-7593
author: crowdsec
severity: info
description: test-CVE-2024-7593 testing
tags: appsec-testing
http:
- raw:
- |
POST /apps/zxtm/wizard.fcgi?error=1&section=Access+Management%3ALocalUsers HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
_form_submitted=form&create_user=Create&group=admin&newusername=testuser&password1=testpass&password2=testpass
cookie-reuse: true
matchers:
- type: status
status:
- 403

38 changes: 35 additions & 3 deletions .index.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2559,6 +2559,33 @@
"type": "exploit"
}
},
"crowdsecurity/vpatch-CVE-2024-7593": {
"path": "appsec-rules/crowdsecurity/vpatch-CVE-2024-7593.yaml",
"version": "0.1",
"versions": {
"0.1": {
"digest": "150dab77481d68e06e7c1214584d7724a66249394fcf72e493880a541fb59517",
"deprecated": false
}
},
"content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtNzU5MwpkZXNjcmlwdGlvbjogIkl2YW50aSB2VE0gLSBBdXRoZW50aWNhdGlvbiBCeXBhc3MgKENWRS0yMDI0LTc1OTMpIgpydWxlczoKICAtIGFuZDoKICAgIC0gem9uZXM6CiAgICAgICAgLSBNRVRIT0QKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogZXF1YWxzCiAgICAgICAgdmFsdWU6IFBPU1QKICAgIC0gem9uZXM6CiAgICAgICAgLSBVUkkKICAgICAgdHJhbnNmb3JtOgogICAgICAgIC0gbG93ZXJjYXNlCiAgICAgIG1hdGNoOgogICAgICAgIHR5cGU6IGVuZHNXaXRoCiAgICAgICAgdmFsdWU6IC9hcHBzL3p4dG0vd2l6YXJkLmZjZ2kKICAgIC0gem9uZXM6CiAgICAgICAgLSBBUkdTCiAgICAgIHZhcmlhYmxlczoKICAgICAgICAtIHNlY3Rpb24KICAgICAgdHJhbnNmb3JtOgogICAgICAgIC0gbG93ZXJjYXNlCiAgICAgICAgLSB1cmxkZWNvZGUKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogZXF1YWxzCiAgICAgICAgdmFsdWU6ICJhY2Nlc3MgbWFuYWdlbWVudDpsb2NhbHVzZXJzIgogICAgLSB6b25lczoKICAgICAgICAtIEFSR1MKICAgICAgdmFyaWFibGVzOgogICAgICAgIC0gZXJyb3IKICAgICAgdHJhbnNmb3JtOgogICAgICAgIC0gbG93ZXJjYXNlCiAgICAgIG1hdGNoOgogICAgICAgIHR5cGU6IGVxdWFscwogICAgICAgIHZhbHVlOiAxCiAgICAtIHpvbmVzOgogICAgICAgIC0gQk9EWV9BUkdTCiAgICAgIHZhcmlhYmxlczoKICAgICAgICAtIGNyZWF0ZV91c2VyCiAgICAgIG1hdGNoOgogICAgICAgIHR5cGU6IGVxdWFscwogICAgICAgIHZhbHVlOiBDcmVhdGUKICAgIC0gem9uZXM6CiAgICAgICAgLSBCT0RZX0FSR1MKICAgICAgdmFyaWFibGVzOgogICAgICAgIC0gZ3JvdXAKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogZXF1YWxzCiAgICAgICAgdmFsdWU6IGFkbWluCiAgICAtIHpvbmVzOgogICAgICAgIC0gQk9EWV9BUkdTCiAgICAgIHZhcmlhYmxlczoKICAgICAgICAtIG5ld3VzZXJuYW1lCiAgICAgIG1hdGNoOgogICAgICAgIHR5cGU6IHJlZ2V4CiAgICAgICAgdmFsdWU6IF4uKiQKICAgIC0gem9uZXM6CiAgICAgICAgLSBCT0RZX0FSR1MKICAgICAgdmFyaWFibGVzOgogICAgICAgIC0gcGFzc3dvcmQxCiAgICAgIG1hdGNoOgogICAgICAgIHR5cGU6IHJlZ2V4CiAgICAgICAgdmFsdWU6IF4uKiQKCmxhYmVsczoKICB0eXBlOiBleHBsb2l0CiAgc2VydmljZTogaHR0cAogIGNvbmZpZGVuY2U6IDMKICBzcG9vZmFibGU6IDAKICBiZWhhdmlvcjogImh0dHA6ZXhwbG9pdCIKICBsYWJlbDogIkl2YW50aSB2VE0gLSBBdXRoZW50aWNhdGlvbiBCeXBhc3MiCiAgY2xhc3NpZmljYXRpb246CiAgICAtIGN2ZS5DVkUtMjAyNC03NTkzCiAgICAtIGF0dGFjay5UMTE5MAogICAgLSBjd2UuQ1dFLTI4NwogICAgLSBjd2UuQ1dFLTMwMw==",
"description": "Ivanti vTM - Authentication Bypass (CVE-2024-7593)",
"author": "crowdsecurity",
"labels": {
"behavior": "http:exploit",
"classification": [
"cve.CVE-2024-7593",
"attack.T1190",
"cwe.CWE-287",
"cwe.CWE-303"
],
"confidence": 3,
"label": "Ivanti vTM - Authentication Bypass",
"service": "http",
"spoofable": 0,
"type": "exploit"
}
},
"crowdsecurity/vpatch-CVE-2024-8190": {
"path": "appsec-rules/crowdsecurity/vpatch-CVE-2024-8190.yaml",
"version": "0.1",
Expand Down Expand Up @@ -3492,7 +3519,7 @@
},
"crowdsecurity/appsec-virtual-patching": {
"path": "collections/crowdsecurity/appsec-virtual-patching.yaml",
"version": "4.5",
"version": "4.6",
"versions": {
"0.1": {
"digest": "a165d638c8d826a932e4ca4e70ec5379d558a0bee1356e871c7c92cc2df714fc",
Expand Down Expand Up @@ -3673,10 +3700,14 @@
"4.5": {
"digest": "702bce51ce84b376355b93e8accf3943b50007fcebcb3388eec8771806ba726b",
"deprecated": false
},
"4.6": {
"digest": "a96e4880adb015a86249a6808fe7085d9c5bb37e6351adbbe105b5f3ac53cac6",
"deprecated": false
}
},
"long_description": "IyBBcHBTZWMgVmlydHVhbCBQYXRjaGluZwoKVGhpcyBjb2xsZWN0aW9uIGNvbnRhaW5zIHZpcnR1YWwgcGF0Y2hpbmcgZm9yIGNvbW1vbmx5IGV4cGxvaXRlZCB2dWxuZXJhYmlsaXRpZXMsIGFuZCBpcyBpbnNwaXJlZCBieSB0aGUgW0NJU0EgS25vd24gRXhwbG9pdGVkIFZ1bG5lcmFiaWxpdGllcyBDYXRhbG9nXShodHRwczovL3d3dy5jaXNhLmdvdi9rbm93bi1leHBsb2l0ZWQtdnVsbmVyYWJpbGl0aWVzLWNhdGFsb2cpLiBUaGUgZ29hbCBpcyB0byBwcm92aWRlIHZpcnR1YWwgcGF0Y2hpbmcgY2FwYWJpbGl0aWVzIGZvciB0aGUgbW9zdCBvZnRlbiBleHBsb2l0ZWQgdnVsbmVyYWJpbGl0aWVzLCBhdm9pZGluZyBmYWxzZSBwb3NpdGl2ZXMgd2hpbGUgY2F0Y2hpbmcgcGVvcGxlIHNjb3V0aW5nIHlvdXIgYXBwbGljYXRpb25zIGZvciBqdWljeSB2dWxuZXJhYmlsaXRpZXMuCg==",
"content": "YXBwc2VjLWNvbmZpZ3M6Ci0gY3Jvd2RzZWN1cml0eS92aXJ0dWFsLXBhdGNoaW5nCi0gY3Jvd2RzZWN1cml0eS9hcHBzZWMtZGVmYXVsdAphcHBzZWMtcnVsZXM6Ci0gY3Jvd2RzZWN1cml0eS9iYXNlLWNvbmZpZwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLWVudi1hY2Nlc3MKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00MDA0NAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE3LTk4NDEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMC0xMTczOAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTI3OTI2Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMzU5MTQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi00NjE2OQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIwMTk4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjI1MTUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zMzYxNwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTM0MzYyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzUxOQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTQyNzkzCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNTAxNjQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zODIwNQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTI0NDg5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjEtMzEyOQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIxLTIyOTQxCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTktMTI5ODkKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi00NDg3NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEwNTYyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNjU1MwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEwMDA4NjEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAxOS0xMDAzMDMwCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMjI5NjUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yMzc1MgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTQ5MDcwCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtbGFyYXZlbC1kZWJ1Zy1tb2RlCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjgxMjEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMC0xNzQ5NgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTEzODkKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy03MDI4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDY4MDUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yMzg5NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIyNTI3Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzUwNzgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zNTA4MgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTIyOTU0Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMTIxMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLXN5bWZvbnktcHJvZmlsZXIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1jb25uZWN0d2lzZS1hdXRoLWJ5cGFzcwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTIyMDI0Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjcxOTgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zMjczCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtNDU3NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI5ODQ5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDcyMTgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1naXQtY29uZmlnCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMzIxMTMKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zMjcyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjgyNTUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yOTgyNAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI3MzQ4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjAtNTkwMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEzMzc5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMjYxMzQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zNDEwMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI5OTczCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItNDEwODIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAxOS0xODkzNQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTgxOTAKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yODk4NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTM4ODU2Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTgtMjAwNjIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMS0yNjA4NgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTUxNTY3Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjc5NTYKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yNzk1NAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTAwMTIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC05NDc0CmF1dGhvcjogY3Jvd2RzZWN1cml0eQpjb250ZXh0czoKLSBjcm93ZHNlY3VyaXR5L2FwcHNlY19iYXNlCmRlc2NyaXB0aW9uOiBhIGdlbmVyaWMgdmlydHVhbCBwYXRjaGluZyBjb2xsZWN0aW9uLCBzdWl0YWJsZSBmb3IgbW9zdCB3ZWIgc2VydmVycy4KbmFtZTogY3Jvd2RzZWN1cml0eS9hcHBzZWMtdmlydHVhbC1wYXRjaGluZwpwYXJzZXJzOgotIGNyb3dkc2VjdXJpdHkvYXBwc2VjLWxvZ3MKc2NlbmFyaW9zOgotIGNyb3dkc2VjdXJpdHkvYXBwc2VjLXZwYXRjaAo=",
"content": "YXBwc2VjLWNvbmZpZ3M6Ci0gY3Jvd2RzZWN1cml0eS92aXJ0dWFsLXBhdGNoaW5nCi0gY3Jvd2RzZWN1cml0eS9hcHBzZWMtZGVmYXVsdAphcHBzZWMtcnVsZXM6Ci0gY3Jvd2RzZWN1cml0eS9iYXNlLWNvbmZpZwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLWVudi1hY2Nlc3MKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00MDA0NAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE3LTk4NDEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMC0xMTczOAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTI3OTI2Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMzU5MTQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi00NjE2OQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIwMTk4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjI1MTUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zMzYxNwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTM0MzYyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzUxOQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTQyNzkzCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNTAxNjQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zODIwNQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTI0NDg5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjEtMzEyOQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIxLTIyOTQxCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTktMTI5ODkKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi00NDg3NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEwNTYyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNjU1MwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEwMDA4NjEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAxOS0xMDAzMDMwCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMjI5NjUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yMzc1MgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTQ5MDcwCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtbGFyYXZlbC1kZWJ1Zy1tb2RlCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjgxMjEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMC0xNzQ5NgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTEzODkKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy03MDI4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDY4MDUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yMzg5NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIyNTI3Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzUwNzgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zNTA4MgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTIyOTU0Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMTIxMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLXN5bWZvbnktcHJvZmlsZXIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1jb25uZWN0d2lzZS1hdXRoLWJ5cGFzcwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTIyMDI0Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjcxOTgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zMjczCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtNDU3NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI5ODQ5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDcyMTgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1naXQtY29uZmlnCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMzIxMTMKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zMjcyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjgyNTUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yOTgyNAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI3MzQ4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjAtNTkwMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEzMzc5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMjYxMzQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zNDEwMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI5OTczCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItNDEwODIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAxOS0xODkzNQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTgxOTAKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yODk4NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTM4ODU2Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTgtMjAwNjIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMS0yNjA4NgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTUxNTY3Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjc5NTYKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yNzk1NAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTAwMTIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC05NDc0Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtNzU5MwphdXRob3I6IGNyb3dkc2VjdXJpdHkKY29udGV4dHM6Ci0gY3Jvd2RzZWN1cml0eS9hcHBzZWNfYmFzZQpkZXNjcmlwdGlvbjogYSBnZW5lcmljIHZpcnR1YWwgcGF0Y2hpbmcgY29sbGVjdGlvbiwgc3VpdGFibGUgZm9yIG1vc3Qgd2ViIHNlcnZlcnMuCm5hbWU6IGNyb3dkc2VjdXJpdHkvYXBwc2VjLXZpcnR1YWwtcGF0Y2hpbmcKcGFyc2VyczoKLSBjcm93ZHNlY3VyaXR5L2FwcHNlYy1sb2dzCnNjZW5hcmlvczoKLSBjcm93ZHNlY3VyaXR5L2FwcHNlYy12cGF0Y2gK",
"description": "a generic virtual patching collection, suitable for most web servers.",
"author": "crowdsecurity",
"labels": null,
Expand Down Expand Up @@ -3757,7 +3788,8 @@
"crowdsecurity/vpatch-CVE-2024-27956",
"crowdsecurity/vpatch-CVE-2024-27954",
"crowdsecurity/vpatch-CVE-2024-0012",
"crowdsecurity/vpatch-CVE-2024-9474"
"crowdsecurity/vpatch-CVE-2024-9474",
"crowdsecurity/vpatch-CVE-2024-7593"
],
"appsec-configs": [
"crowdsecurity/virtual-patching",
Expand Down
76 changes: 76 additions & 0 deletions appsec-rules/crowdsecurity/vpatch-CVE-2024-7593.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
name: crowdsecurity/vpatch-CVE-2024-7593
description: "Ivanti vTM - Authentication Bypass (CVE-2024-7593)"
rules:
- and:
- zones:
- METHOD
match:
type: equals
value: POST
- zones:
- URI
transform:
- lowercase
match:
type: endsWith
value: /apps/zxtm/wizard.fcgi
- zones:
- ARGS
variables:
- section
transform:
- lowercase
- urldecode
match:
type: equals
value: "access management:localusers"
- zones:
- ARGS
variables:
- error
transform:
- lowercase
match:
type: equals
value: 1
- zones:
- BODY_ARGS
variables:
- create_user
match:
type: equals
value: Create
- zones:
- BODY_ARGS
variables:
- group
match:
type: equals
value: admin
- zones:
- BODY_ARGS
variables:
- newusername
match:
type: regex
value: ^.*$
- zones:
- BODY_ARGS
variables:
- password1
match:
type: regex
value: ^.*$

labels:
type: exploit
service: http
confidence: 3
spoofable: 0
behavior: "http:exploit"
label: "Ivanti vTM - Authentication Bypass"
classification:
- cve.CVE-2024-7593
- attack.T1190
- cwe.CWE-287
- cwe.CWE-303
1 change: 1 addition & 0 deletions collections/crowdsecurity/appsec-virtual-patching.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ appsec-rules:
- crowdsecurity/vpatch-CVE-2024-27954
- crowdsecurity/vpatch-CVE-2024-0012
- crowdsecurity/vpatch-CVE-2024-9474
- crowdsecurity/vpatch-CVE-2024-7593
author: crowdsecurity
contexts:
- crowdsecurity/appsec_base
Expand Down
22 changes: 22 additions & 0 deletions taxonomy/scenarios.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1639,6 +1639,28 @@
"CWE-276"
]
},
"crowdsecurity/vpatch-CVE-2024-7593": {
"name": "crowdsecurity/vpatch-CVE-2024-7593",
"description": "Ivanti vTM - Authentication Bypass (CVE-2024-7593)",
"label": "Ivanti vTM - Authentication Bypass",
"behaviors": [
"http:exploit"
],
"mitre_attacks": [
"TA0001:T1190"
],
"confidence": 3,
"spoofable": 0,
"cti": true,
"service": "http",
"cves": [
"CVE-2024-7593"
],
"cwes": [
"CWE-287",
"CWE-303"
]
},
"crowdsecurity/vpatch-CVE-2024-8190": {
"name": "crowdsecurity/vpatch-CVE-2024-8190",
"description": "Ivanti Cloud Services Appliance - RCE (CVE-2024-8190)",
Expand Down

0 comments on commit c63cecb

Please sign in to comment.