From c885b5fc9292981a75023eb642058e0dd8e0e414 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 7 May 2025 16:59:05 +0200 Subject: [PATCH 1/4] Add vpatch-CVE-2024-32870 rule --- .../crowdsecurity/vpatch-CVE-2024-32870.yaml | 55 +++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2024-32870.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2024-32870.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2024-32870.yaml new file mode 100644 index 00000000000..3f0d8cd328c --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2024-32870.yaml @@ -0,0 +1,55 @@ +## autogenerated on 2025-05-07 16:59:02 +name: crowdsecurity/vpatch-CVE-2024-32870 +description: 'Detects unauthorized access to iTop Hub Connector information disclosure endpoint.' +rules: + - and: + - zones: + - URI + transform: + - lowercase + - urldecode + match: + type: contains + value: /pages/exec.php + - zones: + - ARGS + variables: + - exec_module + transform: + - lowercase + - urldecode + match: + type: equals + value: itop-hub-connector + - zones: + - ARGS + variables: + - exec_page + transform: + - lowercase + - urldecode + match: + type: equals + value: launch.php + - zones: + - ARGS + variables: + - target + transform: + - lowercase + - urldecode + match: + type: equals + value: inform_after_setup + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'iTop Hub Connector - Information Disclosure' + classification: + - cve.CVE-2024-32870 + - attack.T1592 + - cwe.CWE-200 From 2390c00bdf66019f86719ed7f325c43dcc602bcf Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 7 May 2025 16:59:07 +0200 Subject: [PATCH 2/4] Add vpatch-CVE-2024-32870 test config --- .appsec-tests/vpatch-CVE-2024-32870/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2024-32870/config.yaml diff --git a/.appsec-tests/vpatch-CVE-2024-32870/config.yaml b/.appsec-tests/vpatch-CVE-2024-32870/config.yaml new file mode 100644 index 00000000000..21449d28f13 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2024-32870/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2025-05-07 16:59:02 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2024-32870.yaml +nuclei_template: CVE-2024-32870.yaml From 6816c070deecd9fe30e02fd45d4518a6e81b83f6 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 7 May 2025 16:59:09 +0200 Subject: [PATCH 3/4] Add CVE-2024-32870 test --- .../vpatch-CVE-2024-32870/CVE-2024-32870.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2024-32870/CVE-2024-32870.yaml diff --git a/.appsec-tests/vpatch-CVE-2024-32870/CVE-2024-32870.yaml b/.appsec-tests/vpatch-CVE-2024-32870/CVE-2024-32870.yaml new file mode 100644 index 00000000000..747cf41f028 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2024-32870/CVE-2024-32870.yaml @@ -0,0 +1,17 @@ +## autogenerated on 2025-05-07 16:59:02 +id: CVE-2024-32870 +info: + name: CVE-2024-32870 + author: crowdsec + severity: info + description: CVE-2024-32870 testing + tags: appsec-testing +http: + - method: GET + path: + - "{{BaseURL}}/pages/exec.php?exec_module=itop-hub-connector&exec_page=launch.php&target=inform_after_setup" + cookie-reuse: true + matchers: + - type: status + status: + - 403 From bf4894d155ac97a2781d6886fa857fe876a49a5a Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 7 May 2025 16:59:11 +0200 Subject: [PATCH 4/4] Add vpatch-CVE-2024-32870 rule to vpatch collection --- collections/crowdsecurity/appsec-virtual-patching.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index be69426f031..dbc13b746d9 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -90,6 +90,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2024-27292 - crowdsecurity/vpatch-CVE-2025-24893 - crowdsecurity/vpatch-CVE-2021-43798 +- crowdsecurity/vpatch-CVE-2024-32870 author: crowdsecurity contexts: - crowdsecurity/appsec_base