932239 blocking Mozilla user-agents | Matched Data: ; PG found

[isniukArte]

Description

We have a lot of absolutely legal requests from real users with User-Agent like this: Mozilla/5.0 (Linux; Android 14; PGT-N19 Build/HONORPGT-N49; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/124.0.6367.180 Mobile Safari/537.36

These requests are blocked by 932239 with reason: Matched Data: ; PG found within REQUEST_HEADERS:user-agent: Mozilla/5.0 (Linux; Android 14; PGT-N19 Build/HONORPGT-N49; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/124.0.6367.180 Mobile Safari/537.36

How to reproduce the misbehavior (-> curl call)

curl -X GET host.with.pl2.enabled -kL \
-H "User-Agent: Mozilla/5.0 (Linux; Android 14; PGT-N19 Build/HONORPGT-N49; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/124.0.6367.180 Mobile Safari/537.36" \
-H "Host: host.with.pl2.enabled"

Your Environment

• CRS version (e.g., v3.3.4):4.3.0
• Paranoia level setting (e.g. PL1) :PL2
• ModSecurity version (e.g., 2.9.6): ModSecurity v3.0.12 (Linux)
• Web Server and version or cloud provider / CDN (e.g., Apache httpd 2.4.54): ingress-nginx controller v1.10.0
• Operating System and version: n/a

Confirmation

[ ] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.

[franbuehler]

Thank you for your report and sorry for the inconvenience. I can confirm the false positive:

curl -H "x-crs-paranoia-level: 2" -H "x-format-output: txt-matched-rules" -A "Mozilla/5.0 (Linux; Android 14;
PGT-N19 Build/HONORPGT-N49; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/124.0.6367.180 Mobile Safari/537.36" https://
sandbox.coreruleset.org/
932239 PL2 Remote Command Execution: Unix Command Injection found in user-agent or referer header
949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 5)
980170 PL1 Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=0-5-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=5, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=5)

Indeed, this user-agent seems to be legit. I don't find an exact match, but two (or more) close examples, where we also find this ; PG as part of the user-agent string:

• https://user-agents.net/string/mozilla-5-0-linux-android-13-pgt-n19-build-honorpgt-n49-wv-applewebkit-537-36-khtml-like-gecko-version-4-0-chrome-114-0-5735-196-mobile-safari-537-36-fb-iab-fb4a-fbav-422-0-0-26-76
• https://user-agents.net/string/mozilla-5-0-linux-android-13-pgt-n19-build-honorpgt-n49-wv-applewebkit-537-36-khtml-like-gecko-version-4-0-chrome-120-0-6099-144-mobile-safari-537-36-home-assistant-2023-12-4-11898-android-13-pgt-n19

I think this false positive could be resolved by adding pg or pgt (I'll have to find out) to the file that handles user-agent exclusions for rule 932230. I can provide a PR for that so that this false positive gets resolved for the next CRS release.