All Vulnerabilities
- * indicates a new version of an existing rule
Deep Packet Inspection Rules:
Netatalk DSI
1010921* - Netatalk Out-of-Bounds Write Remote Code Execution Vulnerability (CVE-2018-1160)
Web Application Common
1010918* - Nagios XI Remote Code Execution Vulnerability (CVE-2020-35578)
1010942 - WordPress XML External Entity Injection Vulnerability (CVE-2021-29447)
Web Application PHP Based
1010931* - GetSimple CMS Cross Site Scripting Vulnerability (CVE-2020-23839)
1010642 - WordPress XMLRPC Brute Force Amplification Attack
Web Client Common
1010940 - XStream Library Regular Expression Denial Of Service Vulnerability (CVE-2021-21348)
Web Client Internet Explorer/Edge
1010946 - Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2021-26419)
Web Server Common
1010944 - Apache Druid Remote Code Execution Vulnerability (CVE-2021-25646) - 1
1010890* - HPE Systems Insight Manager AMF Deserialization of Untrusted Data Vulnerability (CVE-2020-7200)
1010949 - Microsoft Windows HTTP Protocol Stack Remote Code Execution Vulnerability (CVE-2021-31166)
Web Server HTTPS
1010935 - Joomla! CMS Stored Cross-Site Scripting Vulnerability (CVE-2021-26030)
1010948 - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-28482)
Web Server Miscellaneous
1010670* - Apache Struts2 Remote Code Execution Vulnerability (CVE-2020-17530)
Web Server Nagios
1010943 - Nagios XI Authenticated OS Command Argument Injection Vulnerability (CVE-2020-5792)
Web Server Oracle
1010926* - Oracle WebLogic Server T3 Protocol Deserialization of Untrusted Data Vulnerability (CVE-2021-2211)
Web Server SharePoint
1010947 - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-31181)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update. - * indicates a new version of an existing rule
Deep Packet Inspection Rules:
DCERPC Services
1010532 - Identified Remote Operating System Discovery Over SMB Via Nmap Scripting Engine
Directory Server LDAP
1010895* - OpenLDAP Slapd CancelRequest Denial Of Service Vulnerability (CVE-2020-36227)
Netatalk DSI
1010921 - Netatalk Out-of-Bounds Write Remote Code Execution Vulnerability (CVE-2018-1160)
Web Application Common
1010918* - Nagios XI Remote Code Execution Vulnerability (CVE-2020-35578)
Web Application PHP Based
1010931 - GetSimple CMS Cross Site Scripting Vulnerability (CVE-2020-23839)
Web Client Common
1010765* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-09) - 2
1010906 - LibTIFF Tiff2pdf Converter Out Of Bounds Read Vulnerability
1010932 - XStream Library Arbitrary Code Execution Vulnerability (CVE-2021-21344)
1010929 - XStream Library Arbitrary Code Execution Vulnerability (CVE-2021-21346)
1010933 - XStream Library Arbitrary Code Execution Vulnerability (CVE-2021-21347)
1010923 - XStream Library Arbitrary Code Execution Vulnerability (CVE-2021-21350)
1010920 - XStream Library Arbitrary File Deletion Vulnerability (CVE-2020-26259)
1010936 - XStream Library Arbitrary File Deletion Vulnerability (CVE-2021-21343)
1010938 - XStream Library Denial Of Service Vulnerability (CVE-2021-21341)
1010930 - XStream Library Remote Command Execution Vulnerability (CVE-2021-21345)
1010937 - XStream Library SSRF Vulnerability (CVE-2021-21342)
1010939 - XStream Library SSRF Vulnerability (CVE-2021-21349)
Web Server Common
1010890 - HPE Systems Insight Manager AMF Deserialization of Untrusted Data Vulnerability (CVE-2020-7200)
Web Server Miscellaneous
1010916* - Atlassian Jira Information Disclosure Vulnerability (CVE-2019-3403)
1010893* - Jenkins 'Repository Connector' Plugin Stored Cross-Site Scripting Vulnerability (CVE-2021-21618)
1008763* - Red Hat JBoss Application Server 'doFilter' Insecure Deserialization Vulnerability (CVE-2017-12149)
Web Server Oracle
1010926 - Oracle WebLogic Server T3 Protocol Deserialization of Untrusted Data Vulnerability (CVE-2021-2211)
Zoho ManageEngine
1010903* - Zoho ManageEngine Applications Manager Custom Monitor Type SQL Injection Vulnerability
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update. - * indicates a new version of an existing rule
Deep Packet Inspection Rules:
Asterisk Manager Interface (AMI) HTTP
1009148* - Asterisk HTTP Server Denial Of Service Vulnerability (CVE-2018-7287)
Directory Server LDAP
1010895 - OpenLDAP Slapd CancelRequest Denial Of Service Vulnerability (CVE-2020-36227)
Web Application Common
1010899* - LightCMS Stored Cross-Site Scripting Vulnerability (CVE-2021-3355)
1010918 - Nagios XI Remote Code Execution Vulnerability (CVE-2020-35578)
Web Client Common
1010917 - Chromium Based Browsers Improper Input Validation Vulnerability (CVE-2021-21123)
1010910 - Chromium V8 Out-Of-Bounds Access Remote Code Execution Vulnerability (CVE-2021-21220)
1010922 - Google Chrome Out Of Bounds Write Vulnerability (CVE-2020-6507)
1010908 - Microsoft 3D Builder Remote Code Execution Vulnerability (ZDI-21-406)
1010907 - Microsoft Print 3D Remote Code Execution Vulnerability (ZDI-21-405)
1010924 - Microsoft Windows Remote Code Execution Vulnerability (CVE-2021-28468)
1010925 - XStream Library Arbitrary Code Execution Vulnerability (CVE-2021-21351)
Web Server Apache
1009087* - Apache Httpd FilesMatch Directive Security Restriction Bypass Vulnerability (CVE-2017-15715)
Web Server Common
1010902* - Apache Druid Remote Code Execution Vulnerability (CVE-2021-26919)
1010905* - B2evolution CMS Open Redirect Vulnerability (CVE-2020-22840)
Web Server HTTPS
1010913* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-26858)
Web Server Miscellaneous
1010916 - Atlassian Jira Information Disclosure Vulnerability (CVE-2019-3403)
1010893 - Jenkins 'Repository Connector' Plugin Stored Cross-Site Scripting Vulnerability (CVE-2021-21618)
1008763* - Red Hat JBoss Application Server 'doFilter' Insecure Deserialization Vulnerability (CVE-2017-12149)
Zoho ManageEngine
1010903 - Zoho ManageEngine Applications Manager Custom Monitor Type SQL Injection Vulnerability
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
1002831* - Unix - Syslog - * indicates a new version of an existing rule
Deep Packet Inspection Rules:
Asterisk Manager Interface (AMI) HTTP
1009148 - Asterisk HTTP Server Denial Of Service Vulnerability (CVE-2018-7287)
HP Intelligent Management Center (IMC)
1010889* - Apache OFBiz Unsafe Deserialization Vulnerability (CVE-2021-26295)
Mail Server Common
1010001* - Dovecot And Pigeonhole Remote Code Execution Vulnerability (CVE-2019-11500)
Microsoft Office
1010909 - Microsoft Excel Remote Code Execution Vulnerability (CVE-2021-28454)
1010914 - Microsoft Word Remote Code Execution Vulnerability (CVE-2021-28453)
Web Application Common
1010899 - LightCMS Stored Cross-Site Scripting Vulnerability (CVE-2021-3355)
Web Client Common
1010904 - Google Chrome Insufficient Data Validation Vulnerability (CVE-2020-16040)
Web Client Internet Explorer/Edge
1010857* - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2021-26411)
1010912 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2021-26411) -1
Web Server Common
1010902 - Apache Druid Remote Code Execution Vulnerability (CVE-2021-26919)
1010905 - B2evolution CMS Open Redirect Vulnerability (CVE-2020-22840)
1010892* - B2evolution CMS Reflected Cross Site Scripting Vulnerability (CVE-2020-22839)
1010885* - CMS Made Simple Smarty Server-side Template Injection Vulnerability (CVE-2021-26120)
Web Server HTTPS
1010913 - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-26858)
Integrity Monitoring Rules:
1006683* - TMTR-0016: Suspicious Running Processes Detected
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update. - * indicates a new version of an existing rule
Deep Packet Inspection Rules:
DCERPC Services
1010900 - Microsoft Windows SMB Information Disclosure Vulnerability (CVE-2021-28325)
HP Intelligent Management Center (IMC)
1010889 - Apache OFBiz Unsafe Deserialization Vulnerability (CVE-2021-26295)
Suspicious Client Ransomware Activity
1010732* - Identified FlawedGrace Checkin Request - Client
Suspicious Server Ransomware Activity
1010733* - Identified FlawedGrace Checkin Request - Server
Web Application PHP Based
1010886* - Batflat CMS Remote Code Execution Vulnerability (CVE-2020-35734)
Web Application Tomcat
1009697* - Apache Tomcat Remote Code Execution Vulnerability (CVE-2019-0232)
Web Client Common
1010806* - Identified Directory Traversal Attack In HTTP Response Headers
1010898 - Microsoft Windows Win32k Elevation Of Privilege Vulnerability (CVE-2021-28310)
Web Client Internet Explorer/Edge
1010888 - Microsoft Edge Memory Corruption Vulnerability (CVE-2017-11799)
1010896 - Microsoft Edge Memory Corruption Vulnerability (CVE-2017-8755)
Web Server Common
1010892 - B2evolution CMS Reflected Cross Site Scripting Vulnerability (CVE-2020-22839)
1010885 - CMS Made Simple Smarty Server-side Template Injection Vulnerability (CVE-2021-26120)
1010871* - Cisco Data Center Network Manager Arbitrary File Upload Vulnerability (CVE-2019-1620)
1010874 - Identified Cisco Data Center Network Manager Authentication Bypass Attempt
1010891 - Identified Cisco Data Center Network Manager Information Disclosure Vulnerability (CVE-2019-1622)
1010755* - SAP Solution Manager Remote Code Execution Vulnerability (CVE-2020-6207)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
1002798* - Database Server - PostgreSQL - * indicates a new version of an existing rule
Deep Packet Inspection Rules:
DNS Client
1010784* - DNSmasq DNSSEC Out Of Bounds Write Vulnerability (CVE-2020-25687)
DNS Server
1010613* - Identified DNS Trojan.Win32.Trickbot.Dns Traffic
Suspicious Client Application Activity
1010741* - Identified HTTP Backdoor Python FreakOut A Runtime Detection
Suspicious Client Ransomware Activity
1010792* - Identified Cobalt Strike Default Self-signed SSL/TLS Certificate
1010597* - Identified HTTP Cobalt Strike Malleable C&C Traffic Response (Office 365 Calendar Profile)
1010596* - Identified HTTP Cobalt Strike Malleable C&C Traffic Response (YouTube Profile)
1010714* - Identified HTTP Trojan-Downloader.Win32.Cometer.bfc C&C Traffic Request
1010617* - Identified TLS Cobalt Strike Beacon (Certificate)
Suspicious Server Ransomware Activity
1010638* - Identified FTP Backdoor.Win32.Qbot.JINX Runtime Detection
1010616* - Identified HTTP Backdoor.Shell.Powertrick.A Runtime Detection
1010608* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Amazon Profile)
1010637* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Google Safe Browsing Profile)
1010609* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Office 365 Calendar Profile)
1010636* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Pandora GET Profile)
1010639* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Pandora POST Profile)
1010731* - Identified HTTP Redhat Webshell C&C Traffic
1010614* - Identified HTTP Trickbot Data Exfiltration (Card Payment)
1010615* - Identified HTTP Trickbot Data Exfiltration (Network Module)
1010634* - Identified HTTP Trickbot Data Exfiltration - (Application Credentials Grabber)
1010644* - Identified HTTP Trojan-Downloader.Shell.Lightbot.A C&C Traffic Request
1010610* - Identified HTTP Trojan.Win64.BazarTrickbot Traffic
1010611* - Identified HTTP TrojanDownloader.Win64.BazarLoader Traffic
1010607* - Identified TCP Meterpreter Payload
Web Application PHP Based
1010886 - Batflat CMS Remote Code Execution Vulnerability (CVE-2020-35734)
Web Client Common
1010806 - Identified Directory Traversal Attack In HTTP Response Headers
Web Server Common
1010867* - Apache ActiveMQ Web Console Reflected Cross-Site Scripting Vulnerability (CVE-2020-13947)
1010871 - Cisco Data Center Network Manager Arbitrary File Upload Vulnerability (CVE-2019-1620)
1010734* - Identified BumbleBee Webshell Traffic Over HTTP
1010814 - Identified SAP Solution Manager Removal On Host Attempt (ATT&CK T1070.004)
Web Server HTTPS
1010868* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-27065)
1010870* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-27065) - 1
1010875* - rConfig 'vendor.crud.php' Arbitrary File Upload Vulnerability (CVE-2020-12255)
Web Server Oracle
1010887 - Identify Oracle Application Server Config Files Access
Windows SMB Server
1010884* - Microsoft Windows RPC Remote Code Execution Vulnerability (CVE-2017-8461)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update. - * indicates a new version of an existing rule
Deep Packet Inspection Rules:
Microsoft Office
1010879 - Microsoft Excel XLS File Parsing Use-After-Free Remote Code Execution Vulnerability (CVE-2021-27053)
1010878 - Microsoft Excel XLS File Parsing Use-After-Free Remote Code Execution Vulnerability (CVE-2021-27054)
1010880 - Microsoft Office Graph Uninitialized Variable Remote Code Execution Vulnerability (CVE-2021-27057)
1010881 - Microsoft PowerPoint PPTX File Parsing Use-After-Free Remote Code Execution Vulnerability (CVE-2021-27056)
Oracle E-Business Suite Web Interface
1010730* - Oracle E-Business Suite 'ozfVendorLov' SQL Injection Information Disclosure Vulnerability (CVE-2020-14876)
Web Server Common
1010796* - Apache Druid Remote Code Execution Vulnerability (CVE-2021-25646)
Web Server HTTPS
1010868 - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-27065)
1010870 - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-27065) - 1
Web Server Nagios
1010866* - Nagios XI Cross Site Scripting Vulnerability (CVE-2021-25299)
Web Server Oracle
1010590* - Oracle WebLogic Server Remote Code Execution Vulnerabilities (CVE-2020-14882, CVE-2020-14750 and CVE-2020-14883)
Web Server SharePoint
1010823 - Identified Microsoft SharePoint GetPermissionCollection Request (ATT&CK T1069, T1087, T1213.002, T1589.002, T1589.003)
1010864* - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-27076)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update. - * indicates a new version of an existing rule
Deep Packet Inspection Rules:
DNS Client
1010766* - Identified Non Existing DNS Resource Record (RR) Types In DNS Traffic
DNS Server
1010863* - Microsoft Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-26877)
1010865* - Microsoft Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-26897)
Oracle E-Business Suite Web Interface
1010730 - Oracle E-Business Suite 'ozfVendorLov' SQL Injection Information Disclosure Vulnerability (CVE-2020-14876)
SSL Client
1010410* - OpenSSL Large DH Parameter Denial Of Service Vulnerability (CVE-2018-0732)
Suspicious Server Ransomware Activity
1010647* - Identified HTTP Backdoor.Win32.Cobalt.SMHP C&C Traffic Request
Web Application PHP Based
1010852* - phpMyAdmin 'SearchController' SQL Injection Vulnerability (CVE-2020-26935)
Web Server Common
1010862* - SaltStack Salt Directory Traversal Vulnerability (CVE-2021-25282)
1010858* - SaltStack Salt Directory Traversal Vulnerability (CVE-2021-25282) - 1
Web Server HTTPS
1010849 - Identified Zoom WebSocket Upgrade Request
1010854* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-26855)
Web Server Miscellaneous
1010682* - SolarWinds Orion Platform 'SaveUserSetting' Privilege Escalation Vulnerability (CVE-2021-27258)
Web Server Nagios
1010866 - Nagios XI Cross Site Scripting Vulnerability (CVE-2021-25299)
Web Server SharePoint
1010864* - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-27076)
Windows SMB Server
1007065* - Executable File Uploaded On Network Share (ATT&CK T1105)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update. - * indicates a new version of an existing rule
Deep Packet Inspection Rules:
Oracle E-Business Suite Web Interface
1010730* - Oracle E-Business Suite 'ozfVendorLov' SQL Injection Information Disclosure Vulnerability (CVE-2020-14876)
Web Client Common
1010877 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-09) - 4
Web Client HTTPS
1010132* - Microsoft Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601) - 1
Web Server Common
1010867 - Apache ActiveMQ Web Console Reflected Cross-Site Scripting Vulnerability (CVE-2020-13947)
Web Server HTTPS
1010868* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-27065)
1010870* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-27065) - 1
1010850* - VMware vCenter Server Remote Code Execution Vulnerability (CVE-2021-21972 and CVE-2021-21973)
1010875 - rConfig 'vendor.crud.php' Arbitrary File Upload Vulnerability (CVE-2020-12255)
Windows SMB Server
1010884 - Microsoft Windows RPC Remote Code Execution Vulnerability (CVE-2017-8461)
Integrity Monitoring Rules:
1010855* - Microsoft Exchange - HAFNIUM Targeted Vulnerabilities
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update. - ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 long-lasting token vulnerability
Gravedad:
Publish date: 26 de marzo de 2021Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.
The vulnerability has been submitted to ZDI on Dec 3, 2019.
ZDI got one response from the vendor which acknowledged but not confirmed the vulnerability. The responsible disclosure expired on April 30, 2020.
The vendor addressed the vulnerability and has recommended to install an updated version of the software. The update can be found via the vendor's link:
Details
The researchers have tried two ways to successfully steal the access token in the HTTP header.
- Use a Python script (zkteco.py, see below) and a self-signed SSL certificate to simulate ZKBiosecurity Server (ADMS) and do ARP spoofing on HTTPS port 8088.
- Wireshark the default deployment, which does HTTP instead of HTTPS.
We found no CSRF to prevent such attack. Moreover, the token has a long life (at least 2 weeks), and is still valid even after FaceDepot 7B (the Android tablet) issues a new token. The token can be used in replay attack, command forgery, arbitrary user addition and privilege escalation (CVE-2020-17474).
We wrote a proof-of-concept to simulate ZKBiosecurity ADMS with reasonably dummy response. The SSL certificate is self-signed. We did not install the CA into the tablet. After taking over ZKBiosecurity Server's IP by arpspoofing, the script is able to obtain the token for further use. FaceDepot tablet reconnects to the server every 2 - 3 minutes and thus automatically submits a legit token.
After SN and token are obtained, it is easy to, for example, create a user, by using cURL:
curl -v -L -X POST -A 'iClock Proxy/1.09' 'http://192.168.0.1:8088/iclock/cdata?SN=LSR1915060003&table=tabledata&tablename=user&count=1' \ -b 'token=a72182ceb8e4695ea84300155953566d' -H 'Accept: application/push' -H 'Accept-Charset: UTF-8' -H 'Accept-Language: zh-CN' \ -H 'Content-Type: application/push;charset=UTF-8' -H 'Content-Language: zh-CN' -d@bugoy.user.postWhere the content of bugoy.user.post is:
user uuid= cardno= pin=11111 password= group=1 starttime=0 endtime=0 name=Bugoy Test1 privilege=14 disable=0 verify=0
Vulnerability Type
- CWE-613: Insufficient Session Expiration
- CWE-295: Improper Certificate Validation
Attack Type
RemoteImpact Information Disclosure
trueAttack Vectors
An attacker who is able to sniff the network or arp-spoof with a fake server obtains a long-lasting token.Mitigation
- Deploy a firewall in front of ZKBiosecurity Server and enforce allowed IP list and allowed MAC list.
- Deny all unlisted access.
Discoverer
Roel Reyes, Joey Costoya, Philippe Lin, Vincenzo Ciancaglini, Morton SwimmerReference
https://www.zkteco.com/en/product_detail/FaceDepot-7B.html