CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection

calendar Mar 26, 2024 · attack.initial_access cve.2024.1212  ·
Share on: linkedin copy

Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster. It looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character.

Sigma rule (View on GitHub)

 1title: CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection
 2id: eafb8bd5-7605-4bfe-a9ec-0442bc151f15
 3status: experimental
 4description: |
 5    Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster.
 6    It looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character.    
 7references:
 8    - https://github.com/RhinoSecurityLabs/CVEs/blob/15cf4d86c83daa57b59eaa2542a0ed47ad3dc32d/CVE-2024-1212/CVE-2024-1212.py
 9    - https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2024/03/20
12tags:
13    - attack.initial_access
14    - cve.2024.1212
15logsource:
16    category: webserver
17detection:
18    selection_path:
19        cs-method: 'GET'
20        cs-uri-stem|contains|all:
21            - '/access/set'
22            - 'param=enableapi'
23            - 'value=1'
24    selection_keywords:
25        - 'Basic Jz'
26        - 'Basic c7'
27        - 'Basic nO'
28        - "Basic ';"
29    condition: all of selection_*
30falsepositives:
31    - Unlikely
32level: high

References

Related rules

to-top