From 0a3dcb3b921965643fc8feaf72ab7e318c91198e Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Fri, 9 May 2025 17:07:32 +0200 Subject: [PATCH 1/4] Add vpatch-CVE-2024-38653 rule --- .../crowdsecurity/vpatch-CVE-2024-38653.yaml | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2024-38653.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2024-38653.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2024-38653.yaml new file mode 100644 index 00000000000..0c15925edad --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2024-38653.yaml @@ -0,0 +1,40 @@ +## autogenerated on 2025-05-09 17:07:29 +name: crowdsecurity/vpatch-CVE-2024-38653 +description: 'Detects XXE vulnerability in Ivanti Avalanche SmartDeviceServer via /mdm/checkin endpoint with XML payload.' +rules: + - and: + - zones: + - URI + transform: + - lowercase + match: + type: equals + value: /mdm/checkin + - zones: + - HEADERS + variables: + - content-type + transform: + - lowercase + match: + type: contains + value: application/xml + - zones: + - RAW_BODY + transform: + - lowercase + match: + type: contains + value: ' Date: Fri, 9 May 2025 17:07:33 +0200 Subject: [PATCH 2/4] Add vpatch-CVE-2024-38653 test config --- .appsec-tests/vpatch-CVE-2024-38653/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2024-38653/config.yaml diff --git a/.appsec-tests/vpatch-CVE-2024-38653/config.yaml b/.appsec-tests/vpatch-CVE-2024-38653/config.yaml new file mode 100644 index 00000000000..26be4bb0cf5 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2024-38653/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2025-05-09 17:07:29 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2024-38653.yaml +nuclei_template: CVE-2024-38653.yaml From 21268839625f927f04a648dcda9ee0960ced0fc4 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Fri, 9 May 2025 17:07:35 +0200 Subject: [PATCH 3/4] Add CVE-2024-38653 test --- .../vpatch-CVE-2024-38653/CVE-2024-38653.yaml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2024-38653/CVE-2024-38653.yaml diff --git a/.appsec-tests/vpatch-CVE-2024-38653/CVE-2024-38653.yaml b/.appsec-tests/vpatch-CVE-2024-38653/CVE-2024-38653.yaml new file mode 100644 index 00000000000..f901b2e56f6 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2024-38653/CVE-2024-38653.yaml @@ -0,0 +1,27 @@ +## autogenerated on 2025-05-09 17:07:29 +id: CVE-2024-38653 +info: + name: CVE-2024-38653 + author: crowdsec + severity: info + description: CVE-2024-38653 testing + tags: appsec-testing +http: + - raw: + - | + PUT /mdm/checkin HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/xml + + + + %asd; + %c; + ]> + + cookie-reuse: true + matchers: + - type: status + status: + - 403 From bef85536afad46a1fa3c5787ce5aee4726b0388c Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Fri, 9 May 2025 17:07:37 +0200 Subject: [PATCH 4/4] Add vpatch-CVE-2024-38653 rule to vpatch collection --- collections/crowdsecurity/appsec-virtual-patching.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index be69426f031..1a31b32dc30 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -90,6 +90,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2024-27292 - crowdsecurity/vpatch-CVE-2025-24893 - crowdsecurity/vpatch-CVE-2021-43798 +- crowdsecurity/vpatch-CVE-2024-38653 author: crowdsecurity contexts: - crowdsecurity/appsec_base