vpatch-CVE-2024-7593

crowdsecurity · Nov 18, 2024 · d63e03c · d63e03c
1 parent 5534512
commit d63e03c
Show file tree

Hide file tree

Showing 4 changed files with 105 additions and 0 deletions.
diff --git a/.appsec-tests/vpatch-CVE-2024-7593/config.yaml b/.appsec-tests/vpatch-CVE-2024-7593/config.yaml
@@ -0,0 +1,5 @@
+
+appsec-rules:
+- ./appsec-rules/crowdsecurity/base-config.yaml
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2024-7593.yaml
+nuclei_template: test-CVE-2024-7593.yaml
diff --git a/.appsec-tests/vpatch-CVE-2024-7593/test-CVE-2024-7593.yaml b/.appsec-tests/vpatch-CVE-2024-7593/test-CVE-2024-7593.yaml
@@ -0,0 +1,22 @@
+
+id: test-CVE-2024-7593
+info:
+  name: test-CVE-2024-7593
+  author: crowdsec
+  severity: info
+  description: test-CVE-2024-7593 testing
+  tags: appsec-testing
+http:
+  - raw:
+      - |
+        POST /apps/zxtm/wizard.fcgi?error=1&section=Access+Management%3ALocalUsers HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        _form_submitted=form&create_user=Create&group=admin&newusername=testuser&password1=testpass&password2=testpass
+    cookie-reuse: true
+    matchers:
+    - type: status
+      status:
+       - 403
+
diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2024-7593.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2024-7593.yaml
@@ -0,0 +1,76 @@
+name: crowdsecurity/vpatch-CVE-2024-7593
+description: "Ivanti vTM - Authentication Bypass (CVE-2024-7593)"
+rules:
+  - and:
+    - zones:
+        - METHOD
+      match:
+        type: equals
+        value: POST
+    - zones:
+        - URI
+      transform:
+        - lowercase
+      match:
+        type: endsWith
+        value: /apps/zxtm/wizard.fcgi
+    - zones:
+        - ARGS
+      variables:
+        - section
+      transform:
+        - lowercase
+        - urldecode
+      match:
+        type: equals
+        value: "access management:localusers"
+    - zones:
+        - ARGS
+      variables:
+        - error
+      transform:
+        - lowercase
+      match:
+        type: equals
+        value: 1
+    - zones:
+        - BODY_ARGS
+      variables:
+        - create_user
+      match:
+        type: equals
+        value: Create
+    - zones:
+        - BODY_ARGS
+      variables:
+        - group
+      match:
+        type: equals
+        value: admin
+    - zones:
+        - BODY_ARGS
+      variables:
+        - newusername
+      match:
+        type: regex
+        value: ^.*$
+    - zones:
+        - BODY_ARGS
+      variables:
+        - password1
+      match:
+        type: regex
+        value: ^.*$
+
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: "http:exploit"
+  label: "Ivanti vTM - Authentication Bypass"
+  classification:
+    - cve.CVE-2024-7593
+    - attack.T1190
+    - cwe.CWE-287
+    - cwe.CWE-303
diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml
@@ -64,6 +64,8 @@ appsec-rules:
 - crowdsecurity/vpatch-CVE-2022-41082
 - crowdsecurity/vpatch-CVE-2019-18935
 - crowdsecurity/vpatch-CVE-2024-8190
+- crowdsecurity/vpatch-CVE-2024-28987
+- crowdsecurity/vpatch-CVE-2024-7593
 author: crowdsecurity
 contexts:
 - crowdsecurity/appsec_base