Sid:2055984 Ivanti Cloud Service Appliance Authenticated Command Injection (CVE-2024-8190)

rampage · September 27, 2024, 6:59pm

Greetings friends!

sid:2055984 references www.horizon3.ai/attack-research/cisa-kev-cve-2024-8190-ivanti-csa-command-injection/, however it is not alerting on POST requests produced by the POC (GitHub - horizon3ai/CVE-2024-8190: CVE-2024-8190: Ivanti Cloud Service Appliance Command Injection).

Example POST data payload:

POST /gsb/datetime.php HTTP/1.1
Host: 127.0.0.1:80
User-Agent: python-requests/2.28.1
Accept-Encoding: gzip, deflate
Accept: /
Connection: keep-alive
Content-Length: 133
Content-Type: application/x-www-form-urlencoded
Authorization: Basic YWRtaW46YWRtaW4=

dateTimeFormSubmitted=1&TIMEZONE=%3B+%60yes+%27Happy+Friday%27%60+%3B&CYEAR=2024&CMONTH=9&CDAY=13&CHOUR=12&CMIN=34&LDCSA_CSRF=sp00fLDCSA&SUBMIT_TIME=Save

The signature appears to be looking for JSON content, ex: content:“|22|TIMEZONE|22 3a|”, but this POC sends the data as application/x-www-form-urlencoded, which is the default Content-Type used by python Requests.

stu4rt · October 1, 2024, 7:57pm

@rampage Thanks for the heads up! Expect an update in the today’s release.

Topic		Replies	Views
ET EXPLOIT Fortinet FortiSIEM Unauthenticated Command Injection CVE-2023-34992 Rule Signatures	3	192	June 3, 2024
ET MALWARE Generic Request to gate.php Dotted-Quad - Rule ID 2022986 Rule Signatures rule-analysis , etopen	1	277	January 29, 2024
SID 2012870 - Outbound Request contains pw Rule Signatures snort3 , false-positives	2	304	December 19, 2023
GitLab Pre-Auth RCE (CVE-2021-22205) Signature Rule Signatures	3	599	February 18, 2023
Possible FP: ET MALWARE Sourtoff Receiving Simda Payload Rule Signatures etopen	4	305	July 7, 2023

Sid:2055984 Ivanti Cloud Service Appliance Authenticated Command Injection (CVE-2024-8190)

Related topics