[New] React2Shell Network Security Alert (#5445)
* [New] React2Shell Network Security Alert KQL query that reports network security signatures for React2Shell from 4 integrations (Suricata, Fortigate, Cisco FTD and PANW). * Update initial_access_react_server_rce_network_alerts.toml * cisco_ftd schema build-schemas -i cisco_ftd * Update initial_access_react_server_rce_network_alerts.toml * Update pyproject.toml * Update rules/network/initial_access_react_server_rce_network_alerts.toml Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> * Update pyproject.toml * Revert "cisco_ftd schema" This reverts commit c97cf58b2180b3c13c29e3901b2a03bfd12463a2. * cisco_ftd schema and manifest * Update pyproject.toml * Revert "cisco_ftd schema and manifest" This reverts commit ff2200f70f0e0cf94864c49fe8e8a13fda930bc9. * Revert "Update pyproject.toml" This reverts commit d382fcdaaa992cac2d4370f5656f81c530b6ec5a. * Reapply "cisco_ftd schema" This reverts commit 1494d4aa3e4f07cebd448fcc2597b4c836a989db. * Revert "Update pyproject.toml" This reverts commit 39e1f5e9e34cc0500bd82bc4662ece259a5234ba. * Revert "cisco_ftd schema" This reverts commit c97cf58b2180b3c13c29e3901b2a03bfd12463a2. * ++ * Update pyproject.toml * integration_cisco_ftd --------- Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
This commit is contained in:
Samirbous
Binary file not shown.
Binary file not shown.
+1
-1
@@ -1,6 +1,6 @@
|
||||
[project]
|
||||
name = "detection_rules"
|
||||
version = "1.5.24"
|
||||
version = "1.5.25"
|
||||
description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
|
||||
readme = "README.md"
|
||||
requires-python = ">=3.12"
|
||||
|
||||
@@ -0,0 +1,112 @@
|
||||
[metadata]
|
||||
creation_date = "2025/12/10"
|
||||
integration = ["panw", "cisco_ftd", "fortinet_fortigate", "suricata"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/12/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
This rule identifies network security alerts related to CVE-2025-55182 exploitation attempts from different network security
|
||||
integrations. CVE-2025-55182 is a critical remote code execution vulnerability in React Server Components (RSC) Flight protocol.
|
||||
The vulnerability allows attackers to execute arbitrary code on the server by sending specially crafted deserialization payloads
|
||||
that exploit prototype chain traversal to access the Function constructor.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-panw.panos*", "logs-cisco_ftd.*", "logs-fortinet_fortigate.*", "logs-suricata.*"]
|
||||
language = "kuery"
|
||||
license = "Elastic License v2"
|
||||
name = "React2Shell Network Security Alert"
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating React2Shell Network Security Alert
|
||||
|
||||
This rule detects exploitation attempts targeting CVE-2025-55182, a critical remote code execution vulnerability in React's Flight protocol used by Next.js and other RSC implementations. The vulnerability stems from insecure prototype chain traversal in the Flight deserializer, allowing attackers to access `__proto__`, `constructor`, and ultimately the `Function` constructor to execute arbitrary code.
|
||||
|
||||
### Possible investigation steps
|
||||
|
||||
- Examine the full HTTP request body to identify the specific attack payload and command being executed.
|
||||
- Check the response body for `E{"digest":"..."}` patterns which contain command output from successful exploitation.
|
||||
- Identify the target application and verify if it runs vulnerable React (< 19.1.0) or Next.js (< 15.3.2) versions.
|
||||
- Review the source IP for other reconnaissance or exploitation attempts against web applications.
|
||||
- Check for the `Next-Action` header which is required for the exploit to work.
|
||||
- Correlate with process execution logs to identify if child processes (e.g., shell commands) were spawned by the Node.js process.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
- Legitimate React Server Components traffic will NOT contain `__proto__`, `constructor:constructor`, or code execution patterns.
|
||||
- Security scanning tools like react2shell-scanner may trigger this rule during authorized penetration testing.
|
||||
- The combination of prototype pollution patterns with RSC-specific syntax is highly indicative of malicious activity.
|
||||
|
||||
### Response and remediation
|
||||
|
||||
- Immediately update affected applications: React >= 19.1.0, Next.js >= 15.3.2.
|
||||
- Block the source IP at the WAF/reverse proxy if exploitation is confirmed.
|
||||
- If HTTP 500 or 303 responses with `digest` output were observed, assume successful code execution and investigate for compromise.
|
||||
- Review server logs for evidence of command execution (file creation, network connections, process spawning).
|
||||
- Implement WAF rules to block requests containing `__proto__` or `constructor:constructor` in POST bodies.
|
||||
"""
|
||||
references = [
|
||||
"https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182",
|
||||
"https://github.com/assetnote/react2shell-scanner",
|
||||
"https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478/",
|
||||
"https://github.com/msanft/CVE-2025-55182",
|
||||
]
|
||||
risk_score = 73
|
||||
rule_id = "1aefed68-eecd-47cc-9044-4a394b60061d"
|
||||
severity = "high"
|
||||
tags = [
|
||||
"Domain: Network",
|
||||
"Domain: Application",
|
||||
"Domain: Web",
|
||||
"Use Case: Threat Detection",
|
||||
"Use Case: Vulnerability",
|
||||
"Tactic: Initial Access",
|
||||
"Tactic: Execution",
|
||||
"Data Source: PAN-OS",
|
||||
"Data Source: Fortinet",
|
||||
"Data Source: Suricata",
|
||||
"Data Source: Cisco FTD",
|
||||
"Resources: Investigation Guide",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
(event.dataset:"cisco_ftd.log" and message:"SERVER-WEBAPP React Server Components remote code execution attempt") or
|
||||
(event.dataset:"fortinet_fortigate.log" and message:"applications3: React.Server.Components.react-flight.Remote.Code.Execution") or
|
||||
(event.dataset:"panw.panos" and event.action:"exploit_detected" and event.original :*React*Server*) or
|
||||
(event.dataset:("suricata_corelight" or "suricata.eve") and rule.name:*CVE-2025-55182*)
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1190"
|
||||
name = "Exploit Public-Facing Application"
|
||||
reference = "https://attack.mitre.org/techniques/T1190/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0001"
|
||||
name = "Initial Access"
|
||||
reference = "https://attack.mitre.org/tactics/TA0001/"
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1059"
|
||||
name = "Command and Scripting Interpreter"
|
||||
reference = "https://attack.mitre.org/techniques/T1059/"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1059.007"
|
||||
name = "JavaScript"
|
||||
reference = "https://attack.mitre.org/techniques/T1059/007/"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0002"
|
||||
name = "Execution"
|
||||
reference = "https://attack.mitre.org/tactics/TA0002/"
|
||||
|
||||
Reference in New Issue
Block a user