add vpatch rule for CVE-2024-51567 (#1154)

crowdsecurity · Nov 13, 2024 · 98608ec · 98608ec
1 parent 43782a1
commit 98608ec
Show file tree

Hide file tree

Showing 10 changed files with 161 additions and 19 deletions.
diff --git a/.appsec-tests/vpatch-CVE-2024-51567/config.yaml b/.appsec-tests/vpatch-CVE-2024-51567/config.yaml
@@ -0,0 +1,4 @@
+appsec-rules:
+    - ./appsec-rules/crowdsecurity/base-config.yaml
+    - ./appsec-rules/crowdsecurity/vpatch-CVE-2024-51567.yaml
+nuclei_template: vpatch-CVE-2024-51567.yaml
diff --git a/.appsec-tests/vpatch-CVE-2024-51567/vpatch-CVE-2024-51567.yaml b/.appsec-tests/vpatch-CVE-2024-51567/vpatch-CVE-2024-51567.yaml
@@ -0,0 +1,25 @@
+id: vpatch-CVE-2024-51567
+info:
+  name: vpatch-CVE-2024-51567
+  author: crowdsec
+  severity: info
+  description: vpatch-CVE-2024-51567 testing
+  tags: appsec-testing
+http:
+#this is a dummy request, edit the request(s) to match your needs
+  - raw:
+    - |
+      PUT /dataBases/upgrademysqlstatus HTTP/1.1
+      Host: {{Hostname}}
+      Content-Type: application/json
+
+      {
+        "statusFile": "/dev/null; whoami > /tmp/id; #"
+      }
+
+    cookie-reuse: true
+#test will fail because we won't match http status 
+    matchers:
+    - type: status
+      status:
+       - 403
diff --git a/.index.json b/.index.json
diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2024-51567.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2024-51567.yaml
@@ -0,0 +1,40 @@
+
+name: crowdsecurity/vpatch-CVE-2024-51567
+description: "CyberPanel RCE (CVE-2024-51567)"
+rules:
+  - and:
+    - zones:
+      - URI
+      transform:
+      - lowercase
+      match:
+        type: equals
+        value: /databases/upgrademysqlstatus
+    - zones:
+      - METHOD
+      match:
+        type: equals
+        value: PUT
+    - zones:
+      - BODY_ARGS
+      transform:
+        - lowercase
+        - urldecode
+      variables:
+       - json.statusfile
+      match:
+        type: contains
+        value: ';'
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: "http:exploit"
+  label: "CyberPanel RCE"
+  classification:
+   - cve.CVE-2024-51567
+   - attack.T1595
+   - attack.T1190
+   - cwe.CWE-306
+   - cwe.CWE-276
diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml
@@ -68,6 +68,7 @@ appsec-rules:
 - crowdsecurity/vpatch-CVE-2024-38856
 - crowdsecurity/vpatch-CVE-2018-20062
 - crowdsecurity/vpatch-CVE-2021-26086
+- crowdsecurity/vpatch-CVE-2024-51567
 author: crowdsecurity
 contexts:
 - crowdsecurity/appsec_base

diff --git a/scenarios/crowdsecurity/http-bf-wordpress_bf_xmlrpc.yaml b/scenarios/crowdsecurity/http-bf-wordpress_bf_xmlrpc.yaml
@@ -1,6 +1,6 @@
 type: leaky
 name: crowdsecurity/http-bf-wordpress_bf_xmlrpc
-description: "detect wordpress bruteforce on xmlrpc"
+description: "Detect WordPress bruteforce on XML-RPC endpoint"
 debug: false
 # XMLRPC always returns 200
 filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.file_name == 'xmlrpc.php' && evt.Parsed.verb == 'POST'"

diff --git a/scenarios/crowdsecurity/impossible-travel.yaml b/scenarios/crowdsecurity/impossible-travel.yaml
@@ -1,7 +1,7 @@
 ## Generic bucket to handle impossible travel for authentication
 type: conditional
 name: crowdsecurity/impossible-travel
-description: "impossible travel"
+description: "Detect Impossible Travel"
 filter: "evt.Meta.log_type == 'auth_success' && evt.Meta.user not in ['', nil]"
 groupby: "evt.Meta.service + evt.Meta.user"
 # To make it generic we concatenate the service name and the user

diff --git a/scenarios/crowdsecurity/iptables-scan-multi_ports.yaml b/scenarios/crowdsecurity/iptables-scan-multi_ports.yaml
@@ -1,6 +1,6 @@
 type: leaky
 name: crowdsecurity/iptables-scan-multi_ports
-description: "ban IPs that are scanning us"
+description: "Detect aggressive portscans"
 filter: "evt.Meta.log_type == 'iptables_drop' && evt.Meta.service == 'tcp'"
 groupby: evt.Meta.source_ip
 distinct: evt.Parsed.dst_port

diff --git a/scenarios/firewallservices/pf-scan-multi_ports.yaml b/scenarios/firewallservices/pf-scan-multi_ports.yaml
@@ -1,6 +1,6 @@
 type: leaky
 name: firewallservices/pf-scan-multi_ports
-description: "ban IPs that are scanning us"
+description: "Detect aggressive portscans (pf)"
 filter: "evt.Meta.log_type == 'pf_drop' && evt.Meta.service == 'tcp'"
 groupby: evt.Meta.source_ip
 distinct: evt.Parsed.dst_port

diff --git a/taxonomy/scenarios.json b/taxonomy/scenarios.json
@@ -1550,6 +1550,29 @@
       "CWE-707"
     ]
   },
+  "crowdsecurity/vpatch-CVE-2024-51567": {
+    "name": "crowdsecurity/vpatch-CVE-2024-51567",
+    "description": "CyberPanel RCE (CVE-2024-51567)",
+    "label": "CyberPanel RCE",
+    "behaviors": [
+      "http:exploit"
+    ],
+    "mitre_attacks": [
+      "TA0043:T1595",
+      "TA0001:T1190"
+    ],
+    "confidence": 3,
+    "spoofable": 0,
+    "cti": true,
+    "service": "http",
+    "cves": [
+      "CVE-2024-51567"
+    ],
+    "cwes": [
+      "CWE-306",
+      "CWE-276"
+    ]
+  },
   "crowdsecurity/vpatch-CVE-2024-8190": {
     "name": "crowdsecurity/vpatch-CVE-2024-8190",
     "description": "Ivanti Cloud Services Appliance - RCE (CVE-2024-8190)",