Potential Information Disclosure CVE-2023-43261 Exploitation - Web
Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in access logs.
Sigma rule (View on GitHub)
1title: Potential Information Disclosure CVE-2023-43261 Exploitation - Web
2id: a2bcca38-9f3a-4d5e-b603-0c587e8569d7
3related:
4 - id: f48f5368-355c-4a1b-8bf5-11c13d589eaa
5 type: similar
6status: test
7description: |
8 Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in access logs.
9references:
10 - https://thehackernews.com/2023/10/experts-warn-of-severe-flaws-affecting.html
11 - https://medium.com/@win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdf
12 - https://github.com/win3zz/CVE-2023-43261
13 - https://vulncheck.com/blog/real-world-cve-2023-43261
14author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo
15date: 2023-10-20
16modified: 2023-10-30
17tags:
18 - attack.initial-access
19 - attack.t1190
20 - cve.2023-43621
21 - detection.emerging-threats
22logsource:
23 category: webserver
24 definition: 'Requirements: In order for this detection to trigger, access logs of the router must be collected.'
25detection:
26 selection:
27 cs-method: 'GET'
28 # Note: In theory the path can also be for other files. But since the logs can contains password and interesting information. Its most likely going to be targeted during a real attack
29 cs-uri-stem|contains: '/lang/log/httpd.log' # Als covered .old
30 sc-status: 200
31 condition: selection
32falsepositives:
33 - Unknown
34level: high
References
Related rules
- Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy
- Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
- Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
- Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity
- ADSelfService Exploitation