Steps to fix the CVE-2024-23836 vulnerability in the Intrusion Detection System

When using the rule-based Intrusion Detection method, the Intrusion Detection System, which is susceptible to the CVE-2024-23836 vulnerability, operates on the nodes with the application components installed. Following the recommendations of the Intrusion Detection System vendor, to quickly fix the specified vulnerability in Kaspersky Industrial CyberSecurity for Networks, disable the SMTP and HTTP protocol processing modules for the intrusion detection rules. The module disabling procedure must be performed on all nodes with the application components installed (Server and sensors).

To disable the SMTP and HTTP protocol processing modules on a node:

  1. Open the operating system console.
  2. Open the configuration file for the Filter process. To do so, enter the following command:

    sudo mcedit /var/opt/kaspersky/kics4net/config/Filter.json

  3. Go to the "additionalSuricataArguments" settings section.
  4. Add a trailing character , (comma) at the end of the line with the last section parameter and below it add the following lines:

    "--set",

    "app-layer.protocols.smtp.enabled=no",

    "--set",

    "app-layer.protocols.http.enabled=no"

    Example contents of this section:

    "additionalSuricataArguments" :

    [

    "--set",

    "runmode=autofp",

    "--set",

    "autofp-scheduler=hash",

    "--set",

    "vars.address-groups.SCAN_HOSTS=0.0.0.0",

    "--set",

    "vars.address-groups.BRUTE_HOSTS=0.0.0.0",

    "--set",

    "app-layer.protocols.smtp.enabled=no",

    "--set",

    "app-layer.protocols.http.enabled=no"

    ]
  5. Save and close the configuration file.
  6. Restart the application service. To do so, enter the following command:

    sudo systemctl restart kics4net.service

Page top