All Vulnerabilities

  • 21-020 (April 27, 2021)
     Publish date:  28 de abril de 2021
    * indicates a new version of an existing rule

    Deep Packet Inspection Rules:

    Asterisk Manager Interface (AMI) HTTP
    1009148* - Asterisk HTTP Server Denial Of Service Vulnerability (CVE-2018-7287)


    Directory Server LDAP
    1010895 - OpenLDAP Slapd CancelRequest Denial Of Service Vulnerability (CVE-2020-36227)


    Web Application Common
    1010899* - LightCMS Stored Cross-Site Scripting Vulnerability (CVE-2021-3355)
    1010918 - Nagios XI Remote Code Execution Vulnerability (CVE-2020-35578)


    Web Client Common
    1010917 - Chromium Based Browsers Improper Input Validation Vulnerability (CVE-2021-21123)
    1010910 - Chromium V8 Out-Of-Bounds Access Remote Code Execution Vulnerability (CVE-2021-21220)
    1010922 - Google Chrome Out Of Bounds Write Vulnerability (CVE-2020-6507)
    1010908 - Microsoft 3D Builder Remote Code Execution Vulnerability (ZDI-21-406)
    1010907 - Microsoft Print 3D Remote Code Execution Vulnerability (ZDI-21-405)
    1010924 - Microsoft Windows Remote Code Execution Vulnerability (CVE-2021-28468)
    1010925 - XStream Library Arbitrary Code Execution Vulnerability (CVE-2021-21351)


    Web Server Apache
    1009087* - Apache Httpd FilesMatch Directive Security Restriction Bypass Vulnerability (CVE-2017-15715)


    Web Server Common
    1010902* - Apache Druid Remote Code Execution Vulnerability (CVE-2021-26919)
    1010905* - B2evolution CMS Open Redirect Vulnerability (CVE-2020-22840)


    Web Server HTTPS
    1010913* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-26858)


    Web Server Miscellaneous
    1010916 - Atlassian Jira Information Disclosure Vulnerability (CVE-2019-3403)
    1010893 - Jenkins 'Repository Connector' Plugin Stored Cross-Site Scripting Vulnerability (CVE-2021-21618)
    1008763* - Red Hat JBoss Application Server 'doFilter' Insecure Deserialization Vulnerability (CVE-2017-12149)


    Zoho ManageEngine
    1010903 - Zoho ManageEngine Applications Manager Custom Monitor Type SQL Injection Vulnerability


    Integrity Monitoring Rules:

    There are no new or updated Integrity Monitoring Rules in this Security Update.


    Log Inspection Rules:

    1002831* - Unix - Syslog
  • 21-019 (April 20, 2021)
     Publish date:  22 de abril de 2021
    * indicates a new version of an existing rule

    Deep Packet Inspection Rules:

    Asterisk Manager Interface (AMI) HTTP
    1009148 - Asterisk HTTP Server Denial Of Service Vulnerability (CVE-2018-7287)


    HP Intelligent Management Center (IMC)
    1010889* - Apache OFBiz Unsafe Deserialization Vulnerability (CVE-2021-26295)


    Mail Server Common
    1010001* - Dovecot And Pigeonhole Remote Code Execution Vulnerability (CVE-2019-11500)


    Microsoft Office
    1010909 - Microsoft Excel Remote Code Execution Vulnerability (CVE-2021-28454)
    1010914 - Microsoft Word Remote Code Execution Vulnerability (CVE-2021-28453)


    Web Application Common
    1010899 - LightCMS Stored Cross-Site Scripting Vulnerability (CVE-2021-3355)


    Web Client Common
    1010904 - Google Chrome Insufficient Data Validation Vulnerability (CVE-2020-16040)


    Web Client Internet Explorer/Edge
    1010857* - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2021-26411)
    1010912 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2021-26411) -1


    Web Server Common
    1010902 - Apache Druid Remote Code Execution Vulnerability (CVE-2021-26919)
    1010905 - B2evolution CMS Open Redirect Vulnerability (CVE-2020-22840)
    1010892* - B2evolution CMS Reflected Cross Site Scripting Vulnerability (CVE-2020-22839)
    1010885* - CMS Made Simple Smarty Server-side Template Injection Vulnerability (CVE-2021-26120)


    Web Server HTTPS
    1010913 - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-26858)


    Integrity Monitoring Rules:

    1006683* - TMTR-0016: Suspicious Running Processes Detected


    Log Inspection Rules:

    There are no new or updated Log Inspection Rules in this Security Update.
  • 21-017 (April 13, 2021)
     Publish date:  14 de abril de 2021
    * indicates a new version of an existing rule

    Deep Packet Inspection Rules:

    DCERPC Services
    1010900 - Microsoft Windows SMB Information Disclosure Vulnerability (CVE-2021-28325)


    HP Intelligent Management Center (IMC)
    1010889 - Apache OFBiz Unsafe Deserialization Vulnerability (CVE-2021-26295)


    Suspicious Client Ransomware Activity
    1010732* - Identified FlawedGrace Checkin Request - Client


    Suspicious Server Ransomware Activity
    1010733* - Identified FlawedGrace Checkin Request - Server


    Web Application PHP Based
    1010886* - Batflat CMS Remote Code Execution Vulnerability (CVE-2020-35734)


    Web Application Tomcat
    1009697* - Apache Tomcat Remote Code Execution Vulnerability (CVE-2019-0232)


    Web Client Common
    1010806* - Identified Directory Traversal Attack In HTTP Response Headers
    1010898 - Microsoft Windows Win32k Elevation Of Privilege Vulnerability (CVE-2021-28310)


    Web Client Internet Explorer/Edge
    1010888 - Microsoft Edge Memory Corruption Vulnerability (CVE-2017-11799)
    1010896 - Microsoft Edge Memory Corruption Vulnerability (CVE-2017-8755)


    Web Server Common
    1010892 - B2evolution CMS Reflected Cross Site Scripting Vulnerability (CVE-2020-22839)
    1010885 - CMS Made Simple Smarty Server-side Template Injection Vulnerability (CVE-2021-26120)
    1010871* - Cisco Data Center Network Manager Arbitrary File Upload Vulnerability (CVE-2019-1620)
    1010874 - Identified Cisco Data Center Network Manager Authentication Bypass Attempt
    1010891 - Identified Cisco Data Center Network Manager Information Disclosure Vulnerability (CVE-2019-1622)
    1010755* - SAP Solution Manager Remote Code Execution Vulnerability (CVE-2020-6207)


    Integrity Monitoring Rules:

    There are no new or updated Integrity Monitoring Rules in this Security Update.


    Log Inspection Rules:

    1002798* - Database Server - PostgreSQL
  • 21-016 (April 6, 2021)
     Publish date:  07 de abril de 2021
    * indicates a new version of an existing rule

    Deep Packet Inspection Rules:

    DNS Client
    1010784* - DNSmasq DNSSEC Out Of Bounds Write Vulnerability (CVE-2020-25687)


    DNS Server
    1010613* - Identified DNS Trojan.Win32.Trickbot.Dns Traffic


    Suspicious Client Application Activity
    1010741* - Identified HTTP Backdoor Python FreakOut A Runtime Detection


    Suspicious Client Ransomware Activity
    1010792* - Identified Cobalt Strike Default Self-signed SSL/TLS Certificate
    1010597* - Identified HTTP Cobalt Strike Malleable C&C Traffic Response (Office 365 Calendar Profile)
    1010596* - Identified HTTP Cobalt Strike Malleable C&C Traffic Response (YouTube Profile)
    1010714* - Identified HTTP Trojan-Downloader.Win32.Cometer.bfc C&C Traffic Request
    1010617* - Identified TLS Cobalt Strike Beacon (Certificate)


    Suspicious Server Ransomware Activity
    1010638* - Identified FTP Backdoor.Win32.Qbot.JINX Runtime Detection
    1010616* - Identified HTTP Backdoor.Shell.Powertrick.A Runtime Detection
    1010608* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Amazon Profile)
    1010637* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Google Safe Browsing Profile)
    1010609* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Office 365 Calendar Profile)
    1010636* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Pandora GET Profile)
    1010639* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Pandora POST Profile)
    1010731* - Identified HTTP Redhat Webshell C&C Traffic
    1010614* - Identified HTTP Trickbot Data Exfiltration (Card Payment)
    1010615* - Identified HTTP Trickbot Data Exfiltration (Network Module)
    1010634* - Identified HTTP Trickbot Data Exfiltration - (Application Credentials Grabber)
    1010644* - Identified HTTP Trojan-Downloader.Shell.Lightbot.A C&C Traffic Request
    1010610* - Identified HTTP Trojan.Win64.BazarTrickbot Traffic
    1010611* - Identified HTTP TrojanDownloader.Win64.BazarLoader Traffic
    1010607* - Identified TCP Meterpreter Payload


    Web Application PHP Based
    1010886 - Batflat CMS Remote Code Execution Vulnerability (CVE-2020-35734)


    Web Client Common
    1010806 - Identified Directory Traversal Attack In HTTP Response Headers


    Web Server Common
    1010867* - Apache ActiveMQ Web Console Reflected Cross-Site Scripting Vulnerability (CVE-2020-13947)
    1010871 - Cisco Data Center Network Manager Arbitrary File Upload Vulnerability (CVE-2019-1620)
    1010734* - Identified BumbleBee Webshell Traffic Over HTTP
    1010814 - Identified SAP Solution Manager Removal On Host Attempt (ATT&CK T1070.004)


    Web Server HTTPS
    1010868* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-27065)
    1010870* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-27065) - 1
    1010875* - rConfig 'vendor.crud.php' Arbitrary File Upload Vulnerability (CVE-2020-12255)


    Web Server Oracle
    1010887 - Identify Oracle Application Server Config Files Access


    Windows SMB Server
    1010884* - Microsoft Windows RPC Remote Code Execution Vulnerability (CVE-2017-8461)


    Integrity Monitoring Rules:

    There are no new or updated Integrity Monitoring Rules in this Security Update.


    Log Inspection Rules:

    There are no new or updated Log Inspection Rules in this Security Update.
  • 21-014 (March 23, 2021)
     Publish date:  05 de abril de 2021
    * indicates a new version of an existing rule

    Deep Packet Inspection Rules:

    Microsoft Office
    1010879 - Microsoft Excel XLS File Parsing Use-After-Free Remote Code Execution Vulnerability (CVE-2021-27053)
    1010878 - Microsoft Excel XLS File Parsing Use-After-Free Remote Code Execution Vulnerability (CVE-2021-27054)
    1010880 - Microsoft Office Graph Uninitialized Variable Remote Code Execution Vulnerability (CVE-2021-27057)
    1010881 - Microsoft PowerPoint PPTX File Parsing Use-After-Free Remote Code Execution Vulnerability (CVE-2021-27056)


    Oracle E-Business Suite Web Interface
    1010730* - Oracle E-Business Suite 'ozfVendorLov' SQL Injection Information Disclosure Vulnerability (CVE-2020-14876)


    Web Server Common
    1010796* - Apache Druid Remote Code Execution Vulnerability (CVE-2021-25646)


    Web Server HTTPS
    1010868 - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-27065)
    1010870 - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-27065) - 1


    Web Server Nagios
    1010866* - Nagios XI Cross Site Scripting Vulnerability (CVE-2021-25299)


    Web Server Oracle
    1010590* - Oracle WebLogic Server Remote Code Execution Vulnerabilities (CVE-2020-14882, CVE-2020-14750 and CVE-2020-14883)


    Web Server SharePoint
    1010823 - Identified Microsoft SharePoint GetPermissionCollection Request (ATT&CK T1069, T1087, T1213.002, T1589.002, T1589.003)
    1010864* - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-27076)


    Integrity Monitoring Rules:

    There are no new or updated Integrity Monitoring Rules in this Security Update.


    Log Inspection Rules:

    There are no new or updated Log Inspection Rules in this Security Update.
  • 21-013 (March 16, 2021)
     Publish date:  05 de abril de 2021
    * indicates a new version of an existing rule

    Deep Packet Inspection Rules:

    DNS Client
    1010766* - Identified Non Existing DNS Resource Record (RR) Types In DNS Traffic


    DNS Server
    1010863* - Microsoft Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-26877)
    1010865* - Microsoft Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-26897)


    Oracle E-Business Suite Web Interface
    1010730 - Oracle E-Business Suite 'ozfVendorLov' SQL Injection Information Disclosure Vulnerability (CVE-2020-14876)


    SSL Client
    1010410* - OpenSSL Large DH Parameter Denial Of Service Vulnerability (CVE-2018-0732)


    Suspicious Server Ransomware Activity
    1010647* - Identified HTTP Backdoor.Win32.Cobalt.SMHP C&C Traffic Request


    Web Application PHP Based
    1010852* - phpMyAdmin 'SearchController' SQL Injection Vulnerability (CVE-2020-26935)


    Web Server Common
    1010862* - SaltStack Salt Directory Traversal Vulnerability (CVE-2021-25282)
    1010858* - SaltStack Salt Directory Traversal Vulnerability (CVE-2021-25282) - 1


    Web Server HTTPS
    1010849 - Identified Zoom WebSocket Upgrade Request
    1010854* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-26855)


    Web Server Miscellaneous
    1010682* - SolarWinds Orion Platform 'SaveUserSetting' Privilege Escalation Vulnerability (CVE-2021-27258)


    Web Server Nagios
    1010866 - Nagios XI Cross Site Scripting Vulnerability (CVE-2021-25299)


    Web Server SharePoint
    1010864* - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-27076)


    Windows SMB Server
    1007065* - Executable File Uploaded On Network Share (ATT&CK T1105)


    Integrity Monitoring Rules:

    There are no new or updated Integrity Monitoring Rules in this Security Update.


    Log Inspection Rules:

    There are no new or updated Log Inspection Rules in this Security Update.
  • 21-015 (March 30, 2021)
     Publish date:  05 de abril de 2021
    * indicates a new version of an existing rule

    Deep Packet Inspection Rules:

    Oracle E-Business Suite Web Interface
    1010730* - Oracle E-Business Suite 'ozfVendorLov' SQL Injection Information Disclosure Vulnerability (CVE-2020-14876)


    Web Client Common
    1010877 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-09) - 4


    Web Client HTTPS
    1010132* - Microsoft Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601) - 1


    Web Server Common
    1010867 - Apache ActiveMQ Web Console Reflected Cross-Site Scripting Vulnerability (CVE-2020-13947)


    Web Server HTTPS
    1010868* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-27065)
    1010870* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-27065) - 1
    1010850* - VMware vCenter Server Remote Code Execution Vulnerability (CVE-2021-21972 and CVE-2021-21973)
    1010875 - rConfig 'vendor.crud.php' Arbitrary File Upload Vulnerability (CVE-2020-12255)


    Windows SMB Server
    1010884 - Microsoft Windows RPC Remote Code Execution Vulnerability (CVE-2017-8461)


    Integrity Monitoring Rules:

    1010855* - Microsoft Exchange - HAFNIUM Targeted Vulnerabilities


    Log Inspection Rules:

    There are no new or updated Log Inspection Rules in this Security Update.
  • Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.

    The vulnerability has been submitted to ZDI on Dec 3, 2019.

    ZDI got one response from the vendor which acknowledged but not confirmed the vulnerability. The responsible disclosure expired on April 30, 2020.

    The vendor addressed the vulnerability and has recommended to install an updated version of the software. The update can be found via the vendor's link:

    Details

    The researchers have tried two ways to successfully steal the access token in the HTTP header.

    1. Use a Python script (zkteco.py, see below) and a self-signed SSL certificate to simulate ZKBiosecurity Server (ADMS) and do ARP spoofing on HTTPS port 8088.
    2. Wireshark the default deployment, which does HTTP instead of HTTPS.

    We found no CSRF to prevent such attack. Moreover, the token has a long life (at least 2 weeks), and is still valid even after FaceDepot 7B (the Android tablet) issues a new token. The token can be used in replay attack, command forgery, arbitrary user addition and privilege escalation (CVE-2020-17474).

    We wrote a proof-of-concept to simulate ZKBiosecurity ADMS with reasonably dummy response. The SSL certificate is self-signed. We did not install the CA into the tablet. After taking over ZKBiosecurity Server's IP by arpspoofing, the script is able to obtain the token for further use. FaceDepot tablet reconnects to the server every 2 - 3 minutes and thus automatically submits a legit token.

    After SN and token are obtained, it is easy to, for example, create a user, by using cURL:

    curl -v -L -X POST -A 'iClock Proxy/1.09' 'http://192.168.0.1:8088/iclock/cdata?SN=LSR1915060003&table=tabledata&tablename=user&count=1' \
        -b 'token=a72182ceb8e4695ea84300155953566d' -H 'Accept: application/push' -H 'Accept-Charset: UTF-8' -H 'Accept-Language: zh-CN' \
        -H 'Content-Type: application/push;charset=UTF-8' -H 'Content-Language: zh-CN' -d@bugoy.user.post

    Where the content of bugoy.user.post is:

    user uuid=	cardno=	pin=11111	password=	group=1	starttime=0 	endtime=0	name=Bugoy Test1	privilege=14	disable=0	verify=0

    Vulnerability Type

    • CWE-613: Insufficient Session Expiration
    • CWE-295: Improper Certificate Validation

    Attack Type


    Remote

    Impact Information Disclosure


    true

    Attack Vectors


    An attacker who is able to sniff the network or arp-spoof with a fake server obtains a long-lasting token.

    Mitigation

    • Deploy a firewall in front of ZKBiosecurity Server and enforce allowed IP list and allowed MAC list.
    • Deny all unlisted access.

    Discoverer


    Roel Reyes, Joey Costoya, Philippe Lin, Vincenzo Ciancaglini, Morton Swimmer

    Reference

    https://www.zkteco.com/en/product_detail/FaceDepot-7B.html
  • 21-012 (March 11, 2021)
     Gravedad:    
     Publish date:  12 de marzo de 2021
    * indicates a new version of an existing rule

    Deep Packet Inspection Rules:

    Web Server Miscellaneous
    1010670* - Apache Struts2 Remote Code Execution Vulnerability (CVE-2020-17530)


    Integrity Monitoring Rules:

    There are no new or updated Integrity Monitoring Rules in this Security Update.


    Log Inspection Rules:

    There are no new or updated Log Inspection Rules in this Security Update.
  • 21-011 (March 9, 2021)
     Gravedad:    
     Publish date:  10 de marzo de 2021
    * indicates a new version of an existing rule

    Deep Packet Inspection Rules:

    DNS Server
    1010863 - Microsoft Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-26877)
    1010865 - Microsoft Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-26897)


    Directory Server LDAP
    1010820* - OpenLDAP Slapd SASL Proxy Authorization Denial Of Service Vulnerability (CVE-2020-36222)


    SolarWinds Orion Platform
    1010810* - SolarWinds Orion Platform Insecure Deserialization Vulnerability (CVE-2021-25274)


    Web Application Common
    1010818* - WordPress 'Code Snippets' Plugin Cross-Site Request Forgery Vulnerability (CVE-2020-8417)


    Web Application PHP Based
    1010852 - phpMyAdmin 'SearchController' SQL Injection Vulnerability (CVE-2020-26935)


    Web Client Common
    1010861 - Microsoft Windows Graphics Component Remote Code Execution Vulnerability (CVE-2021-24093)


    Web Client Internet Explorer/Edge
    1010857 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2021-26411)


    Web Server Common
    1010801* - FCKeditor Plugin Arbitrary File Upload Vulnerability (CVE-2009-2265)
    1010862 - SaltStack Salt Directory Traversal Vulnerability (CVE-2021-25282)
    1010858 - SaltStack Salt Directory Traversal Vulnerability (CVE-2021-25282) - 1


    Web Server HTTPS
    1010854* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-26855)
    1010850* - VMware vCenter Server Remote Code Execution Vulnerability (CVE-2021-21972)


    Web Server Miscellaneous
    1010496* - Apache Struts2 File Upload Denial of Service Vulnerability (CVE-2019-0233)
    1010461* - Apache Struts2 Remote Code Execution Vulnerability (CVE-2019-0230)
    1010670* - Apache Struts2 Remote Code Execution Vulnerability (CVE-2020-17530)
    1010682 - SolarWinds Orion Platform 'SaveUserSetting' Privilege Escalation Vulnerability (CVE-2021-27258)


    Web Server Oracle
    1010851 - Identified Oracle Application Server 'OWA_UTIL PL/SQL' Package Access


    Web Server SharePoint
    1010836 - Identified Microsoft SharePoint GetGroupCollection Request (ATT&CK T1589, T1213.002, T1087)
    1010835 - Identified Microsoft SharePoint GetGroupCollectionFromRole Request (ATT&CK T1589, T1213.002, T1087, T1069)
    1010834 - Identified Microsoft SharePoint GetGroupCollectionFromSite Request (ATT&CK T1589, T1213.002, T1087, T1069)
    1010833 - Identified Microsoft SharePoint GetGroupCollectionFromUser Request (ATT&CK T1589, T1213.002, T1087, T1069)
    1010832 - Identified Microsoft SharePoint GetGroupCollectionFromWeb Request (ATT&CK T1589, T1213.002, T1087, T1069)
    1010831 - Identified Microsoft SharePoint GetGroupInfo Request (ATT&CK T1589, T1213.002, T1087, T1069)
    1010830 - Identified Microsoft SharePoint GetRoleCollection Request (ATT&CK T1589, T1213.002, T1087, T1069)
    1010864 - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-27076)


    Zoho ManageEngine
    1010811* - Zoho ManageEngine Applications Manager SQL Injection Vulnerability (CVE-2020-35765)


    Integrity Monitoring Rules:

    1010855* - Microsoft Exchange - HAFNIUM Targeted Vulnerabilities


    Log Inspection Rules:

    There are no new or updated Log Inspection Rules in this Security Update.