/CVE-2022-21449

Zeek script to detect exploitation attempts of CVE-2022-21449 targeting TLS clients

Primary LanguageZeek

CVE-2022-21449

Zeek script to detect exploitation attempts of CVE-2022-21449 targeting TLS clients. Only works for TLS 1.2 and below.

Install

zkg install https://github.com/thack1/CVE-2022-21449

Run

Run against supplied pcap file:

$ zeek -Cr pcaps/CVE-2022-21449.pcap CVE-2022-21449

Example Notices

#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   notice
#open   2022-04-24-13-05-55
#fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       fuid    file_mime_type  file_desc       proto   note    msg     sub     src     dst     p       n       peer_descr      actions email_dest      suppress_for    remote_location.country_code    remote_location.region  remote_location.city  remote_location.latitude        remote_location.longitude
#types  time    string  addr    port    addr    port    string  string  string  enum    enum    string  string  addr    addr    port    count   string  set[enum]       set[string]     interval        string  string  string  double  double
1650798355.280690       CrR9204TYgm1nkpJG1      192.168.125.154 59592   192.168.125.167 443     -       -       -       tcp     CVE_2022_21449::Null_Signature  Null server signature; potential CVE-2022-21449 exploit attempt -       192.168.125.154 192.168.125.167 443     -       -       Notice::ACTION_LOG      (empty)       3600.000000     -       -       -       -       -
#close  2022-04-24-13-14-45

References

  1. https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/
  2. https://github.com/khalednassar/CVE-2022-21449-TLS-PoC