ET WEB_SPECIFIC_APPS SonicWall NetExtender for Windows EPC Client Update RCE Attempt (CVE-2024-29014)
Sourceet/open
CreatedNovember 26, 2024
UpdatedNovember 26, 2024
Classificationtrojan-activity
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SonicWall NetExtender for Windows EPC Client Update RCE Attempt (CVE-2024-29014)"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"sonicwallconnectagent|3a 2f 2f|"; fast_pattern; base64_decode:bytes 152, offset 0, relative; base64_data; content:"|22|action|22 3a |10|2c 22|helperversion|22 3a 22|"; content:"|22|host|22 3a|"; distance:0; content:"|22|port|22 3a 22|443|22 2c 22|username|22 3a 22|"; distance:0; content:"|22|extendid|22 3a|"; distance:0; reference:url,blog.amberwolf.com/blog/2024/november/sonicwall-netextender-for-windows---rce-as-system-via-epc-client-update-cve-2024-29014/; reference:url,github.com/AmberWolfCyber/NachoVPN/tree/0220f7fcc0709a89177419f88ade1df6442b7b02; reference:cve,2024-29014; classtype:trojan-activity; sid:2057880; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Windows_11, affected_product SonicWall, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_11_26, cve CVE_2024_29014, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1189, mitre_technique_name Drive_by_Compromise; target:dest_ip;)
References
Metadata
affected productSonicWall
attack targetClient_Endpoint
tls stateTLSDecrypt
created at2024_11_26
deploymentSSLDecrypt
performance impactLow
confidenceHigh
signature severityMajor
updated at2024_11_26
mitre tactic idTA0001
mitre tactic nameInitial_Access
mitre technique idT1189
mitre technique nameDrive_by_Compromise
Comments (0)
Please sign in to leave a comment.
Sign inNo comments yet. Be the first to comment!