vpatch-CVE-2024-22024 AppSec Rule

« vpatch-CVE-2024-22024 »
v0.1 by crowdsecurity
AppSec rule

Ivanti Connect Secure - XXE (CVE-2024-22024)

Installation

cscli appsec-rules install crowdsecurity/vpatch-CVE-2024-22024

YAML Configuration

1name: crowdsecurity/vpatch-CVE-2024-22024
2description: "Ivanti Connect Secure - XXE (CVE-2024-22024)"
3rules:
4  - and:
5    - zones:
6      - METHOD
7      match:
8        type: equals
9        value: POST
10    - zones:
11      - URI
12      transform:
13      - lowercase
14      match:
15        type: endsWith
16        value: "/dana-na/auth/saml-sso.cgi"
17    - zones:
18      - BODY_ARGS
19      transform:
20      - b64decode
21      variables:
22      - SAMLRequest
23      match:
24        type: contains
25        value: "<!ENTITY"
26labels:
27  type: exploit
28  service: http
29  confidence: 3
30  spoofable: 0
31  behavior: "http:exploit"
32  label: "Ivanti Connect Secure - XXE"
33  classification:
34   - cve.CVE-2024-22024
35   - attack.T1595
36   - attack.T1190
37   - cwe.CWE-611
38
39
40

Hub Appsec rule

« vpatch-CVE-2024-22024 »v0.1 by crowdsecurityAppSec rule

« vpatch-CVE-2024-22024 »
v0.1 by crowdsecurity
AppSec rule