CVE-2024-2330
published 2024-03-09CVE-2024-2330: A vulnerability was found in Netentsec NS-ASG Application Security Gateway 6.3. It has been classified as critical. This affects an unknown part of the file…
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
17.62%
96.8th percentile
A vulnerability was found in Netentsec NS-ASG Application Security Gateway 6.3. It has been classified as critical. This affects an unknown part of the file /protocol/index.php. The manipulation of the argument IPAddr leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256281 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netentsec | application_security_gateway | — | — |
| netentsec | ns-asg_application_security_gateway | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}↗
yara↗
contains_all(body,"XPATH syntax error:","alert") && contains(header,"text/html")
- →Detect exploitation attempts by monitoring POST requests to /protocol/index.php containing the 'addmacbind' protocolType and SQL injection payloads in the IPAddr field (e.g., updatexml, concat(0x7e,...)). ↗
- →A successful exploitation response will contain the string 'XPATH syntax error:' in the response body along with an 'alert' string and Content-Type: text/html header. ↗
- →Extract the leaked database version from the error-based SQLi response using the regex pattern: XPATH syntax error: '([~0-9.]+)' ↗
- →The SQL injection is triggered via the IPAddr parameter within a JSON payload sent as application/x-www-form-urlencoded to /protocol/index.php; monitor for single-quote characters and SQL keywords in this field. ↗
- ·The vulnerability requires authentication (PR:L in CVSS); ensure detection rules account for authenticated sessions, as unauthenticated probes to /protocol/index.php may not reach the vulnerable code path. ↗
- ·The EPSS score is extremely high (0.92746, 99.755th percentile), indicating this CVE is very likely being actively exploited in the wild; prioritize detection and patching accordingly. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck6.3MEDIUM
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4wf2-8qpc-j8cv: A vulnerability was found in Netentsec NS-ASG Application Security Gateway 6
ghsa_unreviewed·2024-03-09
CVE-2024-2330 [MEDIUM] CWE-89 GHSA-4wf2-8qpc-j8cv: A vulnerability was found in Netentsec NS-ASG Application Security Gateway 6
A vulnerability was found in Netentsec NS-ASG Application Security Gateway 6.3. It has been classified as critical. This affects an unknown part of the file /protocol/index.php. The manipulation of the argument IPAddr leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256281 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
VulnCheck
Netentsec NS-ASG Application Security Gateway /protocol/index.php SQL Injection Vulnerability
vulncheck·2024·CVSS 6.3
CVE-2024-2330 [MEDIUM] Netentsec NS-ASG Application Security Gateway /protocol/index.php SQL Injection Vulnerability
Netentsec NS-ASG Application Security Gateway /protocol/index.php SQL Injection Vulnerability
A vulnerability was found in Netentsec NS-ASG Application Security Gateway 6.3. It has been classified as critical. This affects an unknown part of the file /protocol/index.php. The manipulation of the argument IPAddr leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256281 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Affected: Netentsec NS-ASG Application Security Gateway
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are
Red Hat
kernel: ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object
vendor_redhat·2024-09-18·CVSS 7.8
CVE-2024-46798 [HIGH] CWE-416 kernel: ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object
kernel: ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object
In the Linux kernel, the following vulnerability has been resolved:
ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object
When using kernel with the following extra config,
- CONFIG_KASAN=y
- CONFIG_KASAN_GENERIC=y
- CONFIG_KASAN_INLINE=y
- CONFIG_KASAN_VMALLOC=y
- CONFIG_FRAME_WARN=4096
kernel detects that snd_pcm_suspend_all() access a freed
'snd_soc_pcm_runtime' object when the system is suspended, which
leads to a use-after-free bug:
[ 52.047746] BUG: KASAN: use-after-free in snd_pcm_suspend_all+0x1a8/0x270
[ 52.047765] Read of size 1 at addr ffff0000b9434d50 by task systemd-sleep/2330
[ 52.047785] Call trace:
[ 52.047787] dump_backtrace+0x0/0x3c0
[ 52.047794] show_stack+0x34/0x50
[ 52.047797] dump_stack_lvl+0x68/0x8c
[ 52.047802
No detection rules found.
Nuclei
NS-ASG Application Security Gateway 6.3 - Sql Injection
nuclei·CVSS 9.8
CVE-2024-2330 [CRITICAL] NS-ASG Application Security Gateway 6.3 - Sql Injection
NS-ASG Application Security Gateway 6.3 - Sql Injection
A vulnerability was found in Netentsec NS-ASG Application Security Gateway 6.3. It has been classified as critical. This affects an unknown part of the file /protocol/index.php. The manipulation of the argument IPAddr leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Template:
id: CVE-2024-2330
info:
name: NS-ASG Application Security Gateway 6.3 - Sql Injection
author: s4e-io
severity: medium
description: |
A vulnerability was found in Netentsec NS-ASG Application Security Gateway 6.3. It has been classified as critical. This affects an unknown part of the file /protocol/index.php. The manipulation of the argument IPAddr leads to sql injection. It
2024-03-09
Published
Exploited in the wild