Emerging Threathightest

Potential Information Disclosure CVE-2023-43261 Exploitation - Web

Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in access logs.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems), Thurein OoCreated Fri Oct 20Updated Mon Oct 30a2bcca38-9f3a-4d5e-b603-0c587e8569d72023

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

Web Server Log

CategoryWeb Server Log← raw: webserver

HTTP access logs from web servers capturing request paths, methods, and status codes.

Definition

Requirements: In order for this detection to trigger, access logs of the router must be collected.

Detection Logic

detection:
    selection:
        cs-method: 'GET'
        # Note: In theory the path can also be for other files. But since the logs can contains password and interesting information. Its most likely going to be targeted during a real attack
        cs-uri-stem|contains: '/lang/log/httpd.log' # Als covered .old
        sc-status: 200
    condition: selection