Skip to content

Add vpatch-CVE-2021-25281 rule and test #1630

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
buixor merged 6 commits into from
Jan 13, 2026
Merged

Add vpatch-CVE-2021-25281 rule and test #1630

buixor merged 6 commits into from
Jan 13, 2026

Conversation

@crowdsec-automation
Copy link
Contributor

@crowdsec-automation crowdsec-automation commented Jan 7, 2026

This rule detects exploitation attempts for CVE-2021-25281, an authentication bypass in SaltStack Salt's API. The vulnerability is triggered when an unauthenticated attacker sends a POST request to the /run endpoint with a JSON body where the client parameter is set to wheel_async. This allows attackers to execute arbitrary wheel modules without proper authentication.

  • The first rule condition matches requests to the /run endpoint, using a case-insensitive comparison (lowercase transform and equals match).
  • The second rule condition inspects the JSON body for the client parameter (using the json.client variable in the BODY_ARGS zone) and checks if its value is exactly wheel_async, again with a lowercase transform for normalization.
  • This approach ensures that only requests specifically targeting the vulnerable functionality are detected, minimizing false positives.
  • The labels section includes the correct CVE, ATT&CK, and CWE references, and the product/vuln class label is formatted as required.

Validation checklist:

  • All value: fields are lowercase.
  • All relevant transforms include lowercase.
  • No match.value contains capital letters.
  • The rule uses equals for exact matches and contains where appropriate (not needed here).
  • No use of both and and or in the same rule.

@github-actions
Copy link

github-actions bot commented Jan 7, 2026

Hello @crowdsec-automation and thank you for your contribution!

❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

🔴 crowdsecurity/vpatch-CVE-2021-25281 🔴

@github-actions
Copy link

github-actions bot commented Jan 7, 2026

Hello @crowdsec-automation and thank you for your contribution!

I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information.
I've found some errors in your scenarios, please fix them and re-submit your PR, or ask for help if you need it.

The following items have errors:

crowdsecurity/crs-exclusion-plugin-cpanel:

  • labels not found

crowdsecurity/crs-exclusion-plugin-dokuwiki:

  • labels not found

crowdsecurity/crs-exclusion-plugin-drupal:

  • labels not found

crowdsecurity/crs-exclusion-plugin-nextcloud:

  • labels not found

crowdsecurity/crs-exclusion-plugin-phpbb:

  • labels not found

crowdsecurity/crs-exclusion-plugin-phpmyadmin:

  • labels not found

crowdsecurity/crs-exclusion-plugin-wordpress:

  • labels not found

crowdsecurity/crs-exclusion-plugin-xenforo:

  • labels not found

Mitre ATT&CK

Information about mitre attack can be found here.
As an example, some common mitre attack techniques:

  • T1110 for bruteforce attacks
  • T1595 and T1190 for exploitation of public vulnerabilities
  • T1595 for generic scanning of exposed applications

Expected format is (where XXXX is the technique ID):

labels:
  classification:
    - attack.TXXXX

CVEs

If your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it.

Expected format is (where CVE-XXX-XXX is the CVE ID):

labels:
  classification:
    - cve.CVE-XXX-XXX

Behaviors

Please identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here.

Expected format is (where <behavior> is the behavior you want to target):

labels:
  behavior: <behavior>

See the labels documentation for more information.

@github-actions
Copy link

github-actions bot commented Jan 13, 2026

Hello @buixor and thank you for your contribution!

❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

🔴 crowdsecurity/vpatch-CVE-2023-0600 🔴
🔴 crowdsecurity/vpatch-CVE-2023-2009 🔴
🔴 crowdsecurity/vpatch-CVE-2023-0900 🔴
🔴 crowdsecurity/vpatch-CVE-2023-6623 🔴
🔴 crowdsecurity/vpatch-CVE-2023-23489 🔴
🔴 crowdsecurity/vpatch-CVE-2023-4634 🔴
🔴 crowdsecurity/vpatch-CVE-2023-23488 🔴
🔴 crowdsecurity/vpatch-CVE-2024-1071 🔴
🔴 crowdsecurity/vpatch-CVE-2023-6567 🔴
🔴 crowdsecurity/vpatch-CVE-2023-6360 🔴
🔴 crowdsecurity/vpatch-CVE-2024-1061 🔴

@github-actions
Copy link

github-actions bot commented Jan 13, 2026

Hello @buixor and thank you for your contribution!

I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information.
I've found some errors in your scenarios, please fix them and re-submit your PR, or ask for help if you need it.

The following items have errors:

crowdsecurity/crs-exclusion-plugin-cpanel:

  • labels not found

crowdsecurity/crs-exclusion-plugin-dokuwiki:

  • labels not found

crowdsecurity/crs-exclusion-plugin-drupal:

  • labels not found

crowdsecurity/crs-exclusion-plugin-nextcloud:

  • labels not found

crowdsecurity/crs-exclusion-plugin-phpbb:

  • labels not found

crowdsecurity/crs-exclusion-plugin-phpmyadmin:

  • labels not found

crowdsecurity/crs-exclusion-plugin-wordpress:

  • labels not found

crowdsecurity/crs-exclusion-plugin-xenforo:

  • labels not found

Mitre ATT&CK

Information about mitre attack can be found here.
As an example, some common mitre attack techniques:

  • T1110 for bruteforce attacks
  • T1595 and T1190 for exploitation of public vulnerabilities
  • T1595 for generic scanning of exposed applications

Expected format is (where XXXX is the technique ID):

labels:
  classification:
    - attack.TXXXX

CVEs

If your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it.

Expected format is (where CVE-XXX-XXX is the CVE ID):

labels:
  classification:
    - cve.CVE-XXX-XXX

Behaviors

Please identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here.

Expected format is (where <behavior> is the behavior you want to target):

labels:
  behavior: <behavior>

See the labels documentation for more information.

@buixor buixor merged commit 0c0a425 into master Jan 13, 2026
12 checks passed
@buixor buixor deleted the 1767798477-vpatch-CVE-2021-25281 branch January 13, 2026 09:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@buixor buixor

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@crowdsec-automation @buixor