CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection

calendar Feb 3, 2025 · attack.initial-access cve.2024-1212 detection.emerging-threats  ·
Share on: linkedin copy

Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster. It looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character.

Sigma rule (View on GitHub)

 1title: CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection
 2id: eafb8bd5-7605-4bfe-a9ec-0442bc151f15
 3status: test
 4description: |
 5    Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster.
 6    It looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character.    
 7references:
 8    - https://github.com/RhinoSecurityLabs/CVEs/blob/15cf4d86c83daa57b59eaa2542a0ed47ad3dc32d/CVE-2024-1212/CVE-2024-1212.py
 9    - https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2024-03-20
12tags:
13    - attack.initial-access
14    - cve.2024-1212
15    - detection.emerging-threats
16logsource:
17    category: webserver
18detection:
19    selection_path:
20        cs-method: 'GET'
21        cs-uri-stem|contains|all:
22            - '/access/set'
23            - 'param=enableapi'
24            - 'value=1'
25    selection_keywords:
26        - 'Basic Jz'
27        - 'Basic c7'
28        - 'Basic nO'
29        - "Basic ';"
30    condition: all of selection_*
31falsepositives:
32    - Unlikely
33level: high

References

Related rules

to-top