vpatch-CVE-2023-1389 AppSec Rule

« vpatch-CVE-2023-1389 »
v0.1 by crowdsecurity
AppSec rule

TP-Link Archer AX21 - RCE (CVE-2023-1389)

Installation

cscli appsec-rules install crowdsecurity/vpatch-CVE-2023-1389

YAML Configuration

1name: crowdsecurity/vpatch-CVE-2023-1389
2description: "TP-Link Archer AX21 - RCE (CVE-2023-1389)"
3rules:
4  - and:
5    - zones:
6      - URI
7      transform:
8      - lowercase
9      match:
10        type: endsWith
11        value: /cgi-bin/luci/;stok=/locale
12    - zones:
13      - ARGS
14      variables:
15      - form
16      match:
17        type: equals
18        value: country
19    - zones:
20      - BODY_ARGS
21      - ARGS
22      variables:
23      - operation
24      match:
25        type: equals
26        value: write
27    - zones:
28      - BODY_ARGS
29      - ARGS
30      variables:
31      - country
32      match:
33        type: regex
34        value: "[^a-zA-Z0-9_.-]+"
35
36labels:
37  type: exploit
38  service: http
39  confidence: 3
40  spoofable: 0
41  behavior: "http:exploit"
42  label: "TP-Link Archer AX21 - RCE"
43  classification:
44   - cve.CVE-2023-1389
45   - attack.T1595
46   - attack.T1190
47   - cwe.CWE-77
48

Hub Appsec rule

« vpatch-CVE-2023-1389 »v0.1 by crowdsecurityAppSec rule

« vpatch-CVE-2023-1389 »
v0.1 by crowdsecurity
AppSec rule