CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection

Rule Info

Name
CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster. It looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character.
Reference
https://github.com/RhinoSecurityLabs/CVEs/blob/15cf4d86c83daa57b59eaa2542a0ed47ad3dc32d/CVE-2024-1212/CVE-2024-1212.py
Date
2024-03-20 00:00:00
Modified
None
Id
eafb8bd5-7605-4bfe-a9ec-0442bc151f15
Tags
attack.initial_access cve.2024.1212 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=eafb8bd5-7605-4bfe-a9ec-0442bc151f15

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4774 from @nasbench - Fix and update multiple rules
2024-03-26
f0395b815
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022