agent-threat-rules 2.1.3 → 2.1.5

package/rules/privilege-escalation/ATR-2026-00451-litellm-admin-sqli-cisa-kev.yaml

@@ -0,0 +1,204 @@
+title: "LiteLLM Proxy Admin Endpoint SQL Injection — CISA KEV (CVE-2026-42208)"
+id: ATR-2026-00451
+rule_version: 1
+status: experimental
+description: >
+  Detects exploitation of CVE-2026-42208 (Critical, CVSS 9.3), an
+  unauthenticated SQL injection in LiteLLM proxy admin endpoints
+  (/team, /key, /user, /spend, /budget). Added to CISA's Known
+  Exploited Vulnerabilities catalog on 2026-05-08 with federal
+  remediation due 2026-05-11; active exploitation observed against
+  financial services and healthcare deployments. The vulnerable
+  endpoint concatenates path / query / body parameters directly into
+  Postgres queries, allowing classic SQLi shapes (tautology
+  authentication bypass `' OR 1=1 --`, UNION-based exfiltration of
+  api_keys / users / model_bindings tables, time-based blind via
+  `pg_sleep()`, DROP / TRUNCATE primitives for destructive impact).
+  This rule detects exploit payloads landing on the admin endpoint
+  surface — focused on the LiteLLM-specific path prefixes so generic
+  SQLi false positives elsewhere do not light up. CWE-89.
+  Patches in LiteLLM >= 1.48.3; this rule detects exploit attempts
+  against unpatched deployments and provides defence-in-depth
+  post-patch by catching the SQLi payload shape regardless of upstream
+  patch state.
+author: "ATR Community"
+date: "2026/05/12"
+schema_version: "0.1"
+detection_tier: pattern
+maturity: test
+severity: critical
+
+references:
+  owasp_llm:
+    - "LLM05:2025 - Improper Output Handling"
+    - "LLM10:2025 - Unbounded Consumption"
+  owasp_agentic:
+    - "ASI03:2026 - Identity and Privilege Abuse"
+    - "ASI07:2026 - Insecure Agent Infrastructure"
+  mitre_atlas:
+    - "AML.T0049 - Exploit Public-Facing Application"
+    - "AML.T0024 - Exfiltration via ML Inference API"
+  mitre_attack:
+    - "T1190 - Exploit Public-Facing Application"
+    - "T1059 - Command and Scripting Interpreter"
+  cve:
+    - "CVE-2026-42208"
+
+metadata_provenance:
+  mitre_atlas: human-reviewed
+  mitre_attack: human-reviewed
+  owasp_llm: human-reviewed
+  owasp_agentic: human-reviewed
+  cve: human-reviewed
+
+compliance:
+  eu_ai_act:
+    - article: "15"
+      context: "CVE-2026-42208 allows unauthenticated SQL execution against the LiteLLM proxy backend Postgres, exfiltrating provider API keys, model bindings, and user accounts; Article 15 cybersecurity requirements mandate parameterised queries in any AI control-plane component."
+      strength: primary
+    - article: "9"
+      context: "Article 9 risk management must enumerate proxy admin-endpoint SQLi as a high-risk class — a single bypass exposes every downstream LLM provider key the proxy holds. CISA KEV listing confirms active in-the-wild exploitation."
+      strength: primary
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "SQLi payloads targeting AI proxy admin endpoints must be tracked as a primary attack class against AI control-plane infrastructure; CISA KEV inclusion makes this a federally-prioritised remediation."
+      strength: primary
+    - subcategory: "MG.4.1"
+      context: "Active exploitation against LiteLLM proxy admin endpoints requires immediate incident response; this rule generates the alert needed to initiate the MG.4.1 AI incident response process."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "Risk treatment plans under MG.2.3 must require parameterised queries on every admin endpoint of any AI proxy / gateway component."
+      strength: primary
+  iso_42001:
+    - clause: "8.6"
+      context: "Operational controls under clause 8.6 must prohibit string concatenation of HTTP parameters into SQL queries in any AI control-plane component; parameterised query builders are mandatory."
+      strength: primary
+
+tags:
+  category: privilege-escalation
+  subcategory: admin-endpoint-sqli-cve-kev
+  scan_target: both
+  confidence: high
+
+agent_source:
+  type: tool_call
+  framework:
+    - litellm
+    - any
+  provider:
+    - any
+
+detection:
+  condition: any
+  false_positives:
+    - "Legitimate documentation or changelog text discussing CVE-2026-42208 patch notes."
+    - "Static analysis tooling output documenting SQLi patterns for defensive purposes."
+    - "CISA KEV catalog entries discussing CVE-2026-42208 for awareness."
+    - "Patched LiteLLM proxy deployments that use parameterised query builders."
+  conditions:
+    - field: content
+      operator: regex
+      value: '(?i)/(?:team|key|user|spend|budget|customer|model|organization)/[^?\n]{0,80}[\x27"]\s*(?:or|and)\s+(?:1\s*=+\s*1|true\b|\d+\s*=+\s*\d+)\s*(?:--(?=\s|$|["\x27\)])|/\*)'
+      description: "LiteLLM admin endpoint path with classic tautology SQLi (1=1 / true / N=N) + SQL-comment terminator (-- at EOL or /*) — CISA KEV CVE-2026-42208 canonical exploit shape; excludes markdown `#` heading"
+
+    - field: content
+      operator: regex
+      value: '(?i)/(?:team|key|user|spend|budget|customer|model|organization)/[^?\n]{0,80}[\x27"]?\s*;\s*(?:drop|truncate|delete)\s+(?:table|from)\s+\w'
+      description: "LiteLLM admin endpoint path with stacked destructive statement (DROP/TRUNCATE/DELETE TABLE)"
+
+    - field: content
+      operator: regex
+      value: '(?i)/(?:team|key|user|spend|budget|customer|model|organization)/[^?\n]{0,120}\bunion\s+(?:all\s+)?select\s+'
+      description: "LiteLLM admin endpoint with UNION SELECT exfiltration probe"
+
+    - field: content
+      operator: regex
+      value: '(?i)/(?:team|key|user|spend|budget|customer|model|organization)/[^?\n]{0,120}\bpg_sleep\s*\(\s*\d+\s*\)'
+      description: "LiteLLM admin endpoint with Postgres time-based blind primitive `pg_sleep(N)`"
+
+    - field: content
+      operator: regex
+      value: '(?i)\b(?:team_id|key_id|user_id|customer_id|model_id)\b["\x27]?\s*[:=]\s*["\x27]?[^"\x27\n]{0,40}[\x27"]\s*(?:or|and)\s+(?:1\s*=+\s*1|true\b|\d+\s*=+\s*\d+)\s*(?:--(?=\s|$|["\x27\)])|/\*)'
+      description: "LiteLLM admin endpoint parameter (team_id/key_id/user_id/customer_id/model_id) carrying a tautology + SQL-comment terminator (handles JSON key form team_id\":\")"
+
+    - field: content
+      operator: regex
+      value: '(?i)\b(?:team_id|key_id|user_id|customer_id|model_id)\b[^\n]{0,80}\bunion\s+(?:all\s+)?select\b'
+      description: "Admin-endpoint parameter carrying UNION SELECT — exfil chain (handles JSON key form)"
+
+    - field: content
+      operator: regex
+      value: '(?i)(?:litellm|proxy)\b[^.\n]{0,80}/(?:team|key|user|spend|budget)/[^?\n]{0,120}\b(?:information_schema\.tables|pg_catalog\.\w+|pg_user|pg_shadow|version\s*\(\s*\))\b'
+      description: "LiteLLM proxy admin path probing Postgres metadata views (information_schema.tables, pg_user, version()) — recon stage of CVE-2026-42208 exploitation; requires concrete metadata identifiers, not bare `current_user`"
+
+    - field: content
+      operator: regex
+      value: '(?i)/(?:team|key|user|spend|budget|customer|model|organization)/[^?\n]{0,120}\b(?:extractvalue|updatexml|load_extension)\s*\('
+      description: "LiteLLM admin endpoint with error-based / out-of-band SQLi primitives (extractvalue, updatexml, load_extension)"
+
+response:
+  actions:
+    - block_input
+    - alert
+    - escalate
+    - snapshot
+  notify:
+    - security_team
+
+remediation: >
+  Upgrade LiteLLM proxy to >= 1.48.3 immediately — CISA KEV listing
+  with federal remediation due 2026-05-11 means active exploitation
+  is occurring in the wild. Rotate every provider API key and user
+  credential that the proxy database has held since deployment.
+  Audit Postgres logs for queries against api_keys, users,
+  model_bindings, and budget tables originating from the proxy
+  service account. Replace string-concatenated SQL in admin handlers
+  with parameterised queries / a query builder. Restrict admin
+  endpoint exposure to a private network or VPN until upgrade is
+  verified.
+
+test_cases:
+  true_positives:
+    - input: "GET /team/1' OR 1=1 -- HTTP/1.1"
+      expected: triggered
+      description: "Canonical tautology SQLi against /team admin endpoint — CISA KEV CVE-2026-42208 shape"
+    - input: 'GET /key/foo''; DROP TABLE api_keys -- '
+      expected: triggered
+      description: "Stacked DROP TABLE against /key admin endpoint"
+    - input: "GET /user/1 UNION ALL SELECT api_key, user_id FROM api_keys --"
+      expected: triggered
+      description: "UNION-based exfil of api_keys via /user admin endpoint"
+    - input: "GET /spend/bob' AND pg_sleep(5)-- HTTP/1.1"
+      expected: triggered
+      description: "Time-based blind SQLi via pg_sleep on /spend admin endpoint"
+    - input: '{"team_id":"abc'' or 1=1 --"}'
+      expected: triggered
+      description: "team_id parameter carrying tautology + comment terminator"
+    - input: '{"key_id":"x'' UNION ALL SELECT api_key FROM api_keys --"}'
+      expected: triggered
+      description: "key_id parameter with UNION exfil"
+    - input: "litellm proxy /budget/1 information_schema.tables current_user"
+      expected: triggered
+      description: "Recon stage probing Postgres metadata via /budget admin endpoint"
+    - input: "GET /team/1' AND extractvalue(1,concat(0x7e,(SELECT version())))-- HTTP/1.1"
+      expected: triggered
+      description: "Error-based SQLi using extractvalue against /team admin endpoint"
+  true_negatives:
+    - input: "LiteLLM 1.48.3 release notes: parameterised query builder replaces concat in admin endpoints. Mitigates CVE-2026-42208 (CISA KEV)."
+      expected: not_triggered
+      description: "Patch changelog mentioning the CVE should not trigger"
+    - input: "CISA added CVE-2026-42208 to the KEV catalog on 2026-05-08 with federal remediation due 2026-05-11."
+      expected: not_triggered
+      description: "Defensive awareness post about the KEV listing"
+    - input: "GET /team/abc123 HTTP/1.1"
+      expected: not_triggered
+      description: "Benign admin-endpoint GET without SQLi payload"
+    - input: 'curl -X POST /key -d ''{"alias":"prod","spend_limit":100}'''
+      expected: not_triggered
+      description: "Standard /key endpoint POST with normal payload"
+    - input: "The /spend endpoint returns aggregated cost per team for the last 30 days."
+      expected: not_triggered
+      description: "API documentation describing /spend behaviour"
+    - input: 'team_id = "team_abc123"'
+      expected: not_triggered
+      description: "Realistic team_id value with no injection content"

package/rules/tool-poisoning/ATR-2026-00448-spring-ai-milvus-filter-injection.yaml

@@ -0,0 +1,193 @@
+title: "Spring AI MilvusVectorStore Filter Expression Injection (CVE-2026-41705)"
+id: ATR-2026-00448
+rule_version: 1
+status: experimental
+description: >
+  Detects exploitation of CVE-2026-41705 (High), filter-expression injection
+  in Spring AI's MilvusVectorStore. The vulnerable sink concatenates a
+  user/LLM-controlled fragment into a Milvus DSL filter expression passed
+  to MilvusVectorStore.delete() or .similaritySearch() without quoting or
+  parameterisation. Attacker-controlled input breaks out of the intended
+  clause and injects new Milvus DSL operators ( == , in[ , like ), boolean
+  combinators ( or , and ), trailing terminators ( ;  -- ), or escape
+  bypasses ( like '%' ESCAPE '\\' ) to broaden the deletion / retrieval
+  scope, exfiltrate or wipe arbitrary collection entries, or bypass
+  access-control filters baked into the original expression. This rule
+  detects the LLM-output / user-input payload shapes that reach the
+  Milvus filter sink: filter-context fields containing unbalanced quotes,
+  Milvus operators combined with boolean chaining, or known
+  filter-bypass primitives. CWE-89, CWE-1287. Patches in Spring AI
+  >= 1.0.0; this rule detects exploit attempts against unpatched
+  deployments and provides defence-in-depth post-patch by catching the
+  injection payload shape regardless of upstream patch state.
+author: "ATR Community"
+date: "2026/05/12"
+schema_version: "0.1"
+detection_tier: pattern
+maturity: test
+severity: high
+
+references:
+  owasp_llm:
+    - "LLM05:2025 - Improper Output Handling"
+    - "LLM08:2025 - Vector and Embedding Weaknesses"
+  owasp_agentic:
+    - "ASI04:2026 - Memory and Knowledge Base Poisoning"
+    - "ASI05:2026 - Unexpected Code Execution"
+  mitre_atlas:
+    - "AML.T0051 - LLM Prompt Injection"
+    - "AML.T0070 - RAG Poisoning"
+  mitre_attack:
+    - "T1190 - Exploit Public-Facing Application"
+  cve:
+    - "CVE-2026-41705"
+
+metadata_provenance:
+  mitre_atlas: human-reviewed
+  owasp_llm: human-reviewed
+  owasp_agentic: human-reviewed
+  cve: human-reviewed
+
+compliance:
+  eu_ai_act:
+    - article: "15"
+      context: "CVE-2026-41705 allows unfiltered LLM output to drive Milvus DSL filter construction in Spring AI's MilvusVectorStore; Article 15 cybersecurity requirements mandate that high-risk AI systems parameterise downstream queries instead of concatenating model output into query strings."
+      strength: primary
+    - article: "9"
+      context: "Article 9 risk management must enumerate vector-store filter injection as a high-risk class — the RAG retrieval / deletion path is typically treated as low-risk infrastructure but actually reaches a privileged datastore."
+      strength: primary
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "Adversarial inputs that inject Milvus DSL fragments into RAG filter expressions must be tracked as a primary input-attack class affecting vector-store integrations."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "Risk treatment plans under MG.2.3 must require parameterised filter construction in any code path that consumes LLM output and reaches a vector-store query / delete API."
+      strength: primary
+  iso_42001:
+    - clause: "8.6"
+      context: "Operational controls under clause 8.6 must prohibit LLM-generated or user-supplied content from being string-concatenated into vector-store filter expressions; parameterised filter builders are mandatory."
+      strength: primary
+
+tags:
+  category: tool-poisoning
+  subcategory: vector-store-filter-injection
+  scan_target: both
+  confidence: high
+
+agent_source:
+  type: tool_call
+  framework:
+    - spring-ai
+    - any
+  provider:
+    - any
+
+detection:
+  condition: any
+  false_positives:
+    - "Legitimate documentation or changelog text discussing CVE-2026-41705 patch notes."
+    - "Static analysis tooling output documenting Milvus filter injection patterns for defensive purposes."
+    - "Patched Spring AI MilvusVectorStore deployments that use parameterised filter builders."
+  conditions:
+    - field: content
+      operator: regex
+      value: '(?i)\b(?:filter|filter_expr|filterExpression)\b[^\n]{0,40}(?:==|!=)\s*\d+[^\n]{0,20}\b(?:or|and)\s+(?:1\s*==\s*1|true\b|\d+\s*==\s*\d+|\w+\s*==\s*\d+)'
+      description: "Milvus filter field with numeric comparator followed by boolean chain into a tautology (or 1==1, or true, or id==N) — primary CVE-2026-41705 injection shape"
+
+    - field: content
+      operator: regex
+      value: '(?i)\b(?:filter|filter_expr|filterExpression)\b[^\n]{0,80}\\?["\x27][^\n]{0,40}\)\s*(?:or|and)\s+\w+\s*(?:==|in\s*\[)'
+      description: "Filter expression with closing-paren breakout followed by or/and and a fresh Milvus comparator/in-operator — quote-and-paren breakout"
+
+    - field: content
+      operator: regex
+      value: '(?i)(?:MilvusVectorStore|milvus[-_]?client|milvus[-_]?service)\b[^.\n]{0,80}\.(?:delete|similaritysearch|similarity_search|search)\s*\([^)\n]{0,200}\+\s*\w'
+      description: "MilvusVectorStore.delete()/similaritySearch() call whose argument list contains string concatenation — code-level smell that enables CVE-2026-41705"
+
+    - field: content
+      operator: regex
+      value: '(?i)\b(?:filter|filter_expr|filterExpression)\b[^\n]{0,40}\bin\s*\[[^\]\n]{0,80}\]\s*(?:or|and)\s+\w+\s*(?:==|!=)'
+      description: "Milvus `in[...]` clause followed by or/and boolean chaining into a fresh comparator — injection past the in-clause"
+
+    - field: content
+      operator: regex
+      value: '(?i)\b(?:filter|filter_expr|filterExpression)\b[^\n]{0,80}["\x27]\s*;\s*(?:drop|delete|truncate|alter)\s+(?:table|from|collection)\b'
+      description: "Filter expression terminated with `;` followed by a destructive verb — classic injection terminator chain"
+
+    - field: content
+      operator: regex
+      value: '(?i)[\x27"]\s+(?:or|and)\s+(?:1\s*=+\s*1|true)\s*(?:--(?=\s|$|["\x27\)])|/\*)'
+      description: "Canonical SQL/DSL tautology with sentinel comment-out terminator (-- at EOL or /*) — conservative shape that excludes markdown `#` heading false positives; supports = and == comparator"
+
+    - field: content
+      operator: regex
+      value: '(?i)\blike\s+\\?["\x27]%\\?["\x27]\s+escape\s+\\?["\x27][\\\\\w]{0,8}\\?["\x27]'
+      description: "Milvus `like '%' ESCAPE` bypass primitive (supports JSON-escaped quotes around the `%` literal and 0..8 backslash/word chars inside the escape value) — used to defeat literal-character escaping in upstream filter builders"
+
+    - field: content
+      operator: regex
+      value: '(?i)\b(?:filter|filter_expr|filterExpression)\b[^\n]{0,80}\)\s+and\s+\w+\s*==\s*\d+'
+      description: "Paren-breakout in filter expression followed by AND-chain with new numeric comparator — secondary breakout shape"
+
+response:
+  actions:
+    - block_input
+    - alert
+    - escalate
+  notify:
+    - security_team
+
+remediation: >
+  Upgrade Spring AI to >= 1.0.0. Replace string-concatenated Milvus filter
+  expressions with parameterised filter builders; never interpolate LLM
+  output or user input directly into filter strings passed to
+  MilvusVectorStore.delete() or .similaritySearch(). Validate filter
+  fragments against an allowlist of operators / field names before
+  building the final expression. Treat LLM output as untrusted input
+  from a security perspective.
+
+test_cases:
+  true_positives:
+    - input: '{"tool":"MilvusVectorStore.delete","args":{"filter":"id == 1 or 1 == 1"}}'
+      expected: triggered
+      description: "Tautology-based deletion-broadening injection — CVE-2026-41705 canonical shape"
+    - input: '{"tool":"MilvusVectorStore.similaritySearch","args":{"filter":"user_id == \"alice\") or id == 99"}}'
+      expected: triggered
+      description: "Closing-paren breakout followed by or chaining with comparator"
+    - input: 'milvusVectorStore.delete("id == " + userInput + " or true")'
+      expected: triggered
+      description: "Source-level concat against Milvus delete sink — code path that enables CVE-2026-41705"
+    - input: '{"filter":"name in [\"x\"] or tenant_id == 99"}'
+      expected: triggered
+      description: "in-operator followed by or chaining with new comparator — bypass of original access-control filter"
+    - input: '{"filter":"category == \"books\"; DROP TABLE collection"}'
+      expected: triggered
+      description: "Filter terminator + destructive verb — classic injection chain"
+    - input: "' or 1 == 1 --"
+      expected: triggered
+      description: "Canonical tautology + comment-out payload pasted into the user_input field"
+    - input: 'filter: "title like \"%\" escape \"\\\\\""'
+      expected: triggered
+      description: "Milvus like-escape bypass primitive"
+    - input: '{"filter":"user == \"bob\") and id == 1"}'
+      expected: triggered
+      description: "Paren-breakout into AND-chain with new comparator"
+  true_negatives:
+    - input: "The Spring AI 1.0.0 changelog notes that MilvusVectorStore now uses parameterised filter builders to mitigate CVE-2026-41705."
+      expected: not_triggered
+      description: "Documentation discussing the patch should not trigger"
+    - input: "Best practice: build Milvus filter expressions via the parameterised builder API instead of string concatenation."
+      expected: not_triggered
+      description: "Defensive guidance discussing the mitigation"
+    - input: 'milvusVectorStore.similaritySearch(SearchRequest.builder().query("hello").filter(parameterizedExpr).build())'
+      expected: not_triggered
+      description: "Properly parameterised similarity search using a builder — no concat with user input"
+    - input: "Reviewing this rule against CVE-2026-41705 to ensure regex coverage is correct."
+      expected: not_triggered
+      description: "Discussion of CVE in defensive context"
+    - input: 'filter: "category == \"books\""'
+      expected: not_triggered
+      description: "Single static comparator without boolean chaining or breakout"
+    - input: "The dataset contains records where the title field matches a specific pattern."
+      expected: not_triggered
+      description: "Benign English prose mentioning fields and patterns"