All Vulnerabilities
- ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 long-lasting token vulnerability
Gravedad:
Publish date: 26 de marzo de 2021Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.
The vulnerability has been submitted to ZDI on Dec 3, 2019.
ZDI got one response from the vendor which acknowledged but not confirmed the vulnerability. The responsible disclosure expired on April 30, 2020.
The vendor addressed the vulnerability and has recommended to install an updated version of the software. The update can be found via the vendor's link:
Details
The researchers have tried two ways to successfully steal the access token in the HTTP header.
- Use a Python script (zkteco.py, see below) and a self-signed SSL certificate to simulate ZKBiosecurity Server (ADMS) and do ARP spoofing on HTTPS port 8088.
- Wireshark the default deployment, which does HTTP instead of HTTPS.
We found no CSRF to prevent such attack. Moreover, the token has a long life (at least 2 weeks), and is still valid even after FaceDepot 7B (the Android tablet) issues a new token. The token can be used in replay attack, command forgery, arbitrary user addition and privilege escalation (CVE-2020-17474).
We wrote a proof-of-concept to simulate ZKBiosecurity ADMS with reasonably dummy response. The SSL certificate is self-signed. We did not install the CA into the tablet. After taking over ZKBiosecurity Server's IP by arpspoofing, the script is able to obtain the token for further use. FaceDepot tablet reconnects to the server every 2 - 3 minutes and thus automatically submits a legit token.
After SN and token are obtained, it is easy to, for example, create a user, by using cURL:
curl -v -L -X POST -A 'iClock Proxy/1.09' 'http://192.168.0.1:8088/iclock/cdata?SN=LSR1915060003&table=tabledata&tablename=user&count=1' \ -b 'token=a72182ceb8e4695ea84300155953566d' -H 'Accept: application/push' -H 'Accept-Charset: UTF-8' -H 'Accept-Language: zh-CN' \ -H 'Content-Type: application/push;charset=UTF-8' -H 'Content-Language: zh-CN' -d@bugoy.user.postWhere the content of bugoy.user.post is:
user uuid= cardno= pin=11111 password= group=1 starttime=0 endtime=0 name=Bugoy Test1 privilege=14 disable=0 verify=0
Vulnerability Type
- CWE-613: Insufficient Session Expiration
- CWE-295: Improper Certificate Validation
Attack Type
RemoteImpact Information Disclosure
trueAttack Vectors
An attacker who is able to sniff the network or arp-spoof with a fake server obtains a long-lasting token.Mitigation
- Deploy a firewall in front of ZKBiosecurity Server and enforce allowed IP list and allowed MAC list.
- Deny all unlisted access.
Discoverer
Roel Reyes, Joey Costoya, Philippe Lin, Vincenzo Ciancaglini, Morton SwimmerReference
https://www.zkteco.com/en/product_detail/FaceDepot-7B.html - * indicates a new version of an existing rule
Deep Packet Inspection Rules:
Web Server Miscellaneous
1010670* - Apache Struts2 Remote Code Execution Vulnerability (CVE-2020-17530)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update. - * indicates a new version of an existing rule
Deep Packet Inspection Rules:
DNS Server
1010863 - Microsoft Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-26877)
1010865 - Microsoft Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-26897)
Directory Server LDAP
1010820* - OpenLDAP Slapd SASL Proxy Authorization Denial Of Service Vulnerability (CVE-2020-36222)
SolarWinds Orion Platform
1010810* - SolarWinds Orion Platform Insecure Deserialization Vulnerability (CVE-2021-25274)
Web Application Common
1010818* - WordPress 'Code Snippets' Plugin Cross-Site Request Forgery Vulnerability (CVE-2020-8417)
Web Application PHP Based
1010852 - phpMyAdmin 'SearchController' SQL Injection Vulnerability (CVE-2020-26935)
Web Client Common
1010861 - Microsoft Windows Graphics Component Remote Code Execution Vulnerability (CVE-2021-24093)
Web Client Internet Explorer/Edge
1010857 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2021-26411)
Web Server Common
1010801* - FCKeditor Plugin Arbitrary File Upload Vulnerability (CVE-2009-2265)
1010862 - SaltStack Salt Directory Traversal Vulnerability (CVE-2021-25282)
1010858 - SaltStack Salt Directory Traversal Vulnerability (CVE-2021-25282) - 1
Web Server HTTPS
1010854* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-26855)
1010850* - VMware vCenter Server Remote Code Execution Vulnerability (CVE-2021-21972)
Web Server Miscellaneous
1010496* - Apache Struts2 File Upload Denial of Service Vulnerability (CVE-2019-0233)
1010461* - Apache Struts2 Remote Code Execution Vulnerability (CVE-2019-0230)
1010670* - Apache Struts2 Remote Code Execution Vulnerability (CVE-2020-17530)
1010682 - SolarWinds Orion Platform 'SaveUserSetting' Privilege Escalation Vulnerability (CVE-2021-27258)
Web Server Oracle
1010851 - Identified Oracle Application Server 'OWA_UTIL PL/SQL' Package Access
Web Server SharePoint
1010836 - Identified Microsoft SharePoint GetGroupCollection Request (ATT&CK T1589, T1213.002, T1087)
1010835 - Identified Microsoft SharePoint GetGroupCollectionFromRole Request (ATT&CK T1589, T1213.002, T1087, T1069)
1010834 - Identified Microsoft SharePoint GetGroupCollectionFromSite Request (ATT&CK T1589, T1213.002, T1087, T1069)
1010833 - Identified Microsoft SharePoint GetGroupCollectionFromUser Request (ATT&CK T1589, T1213.002, T1087, T1069)
1010832 - Identified Microsoft SharePoint GetGroupCollectionFromWeb Request (ATT&CK T1589, T1213.002, T1087, T1069)
1010831 - Identified Microsoft SharePoint GetGroupInfo Request (ATT&CK T1589, T1213.002, T1087, T1069)
1010830 - Identified Microsoft SharePoint GetRoleCollection Request (ATT&CK T1589, T1213.002, T1087, T1069)
1010864 - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-27076)
Zoho ManageEngine
1010811* - Zoho ManageEngine Applications Manager SQL Injection Vulnerability (CVE-2020-35765)
Integrity Monitoring Rules:
1010855* - Microsoft Exchange - HAFNIUM Targeted Vulnerabilities
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update. - * indicates a new version of an existing rule
Deep Packet Inspection Rules:
Web Server HTTPS
1010854 - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-26855)
Integrity Monitoring Rules:
1010855 - Microsoft Exchange - HAFNIUM Targeted Vulnerabilities
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update. - * indicates a new version of an existing rule
Deep Packet Inspection Rules:
DNS Client
1010744* - DNS Request To Ngrok Domain Detected
Directory Server LDAP
1010820 - OpenLDAP Slapd SASL Proxy Authorization Denial Of Service Vulnerability (CVE-2020-36222)
1010799* - OpenLDAP Slapd Search Parsing Integer Underflow Vulnerability (CVE-2020-36228)
FTP Server IIS
1010797* - SolarWinds Serv-U FTP Server Stored Cross-Site Scripting Vulnerability Over FTP (CVE-2020-28001)
SAP NetWeaver Java Application Server
1010816 - Identified SAP Solution Manager Security Software Discovery Over HTTP (ATT&CK T1518.001)
1010822 - Identified SAP Solution Manager Tool Transfer Over HTTP (ATT&CK T1105, T1570)
SSL Client
1010410* - OpenSSL Large DH Parameter Denial Of Service Vulnerability (CVE-2018-0732)
SolarWinds Orion Platform
1010810 - SolarWinds Orion Platform Insecure Deserialization Vulnerability (CVE-2021-25274)
Trend Micro OfficeScan
1010780 - Trend Micro Apex One Multiple Information Disclosure Vulnerabilities
1010709* - Trend Micro Apex One Multiple Information Disclosure Vulnerabilities (CVE-2020-28573 and CVE-2020-28576)
Web Application Common
1010818 - WordPress 'Code Snippets' Plugin Cross-Site Request Forgery Vulnerability (CVE-2020-8417)
Web Client Common
1010760* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-09) - 1
1001933* - Identified Suspicious Usage Of Shellcode For Client
Web Server Common
1010796* - Apache Druid Remote Code Execution Vulnerability (CVE-2021-25646)
1010802* - FCKeditor Plugin Arbitrary File Upload Vulnerability (CVE-2008-6178)
1010801 - FCKeditor Plugin Arbitrary File Upload Vulnerability (CVE-2009-2265)
1008581* - Identified Suspicious IP Addresses In XFF HTTP Header
1010761* - PRTG Network Monitor Command Injection Vulnerability (CVE-2018-9276)
1010804* - SolarWinds Serv-U FTP Server Stored Cross-Site Scripting Vulnerability Over HTTP (CVE-2020-28001)
Web Server HTTPS
1010850 - VMware vCenter Server Remote Code Execution Vulnerability (CVE-2021-21972)
1010712* - WordPress 'Contact Form 7' Plugin Arbitrary File Upload Vulnerability (CVE-2020-35489)
Zoho ManageEngine
1010811 - Zoho ManageEngine Applications Manager SQL Injection Vulnerability (CVE-2020-35765)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
1003613* - DHCP Server - Microsoft Windows
1003447* - Web Server - Apache - * indicates a new version of an existing rule
Deep Packet Inspection Rules:
DCERPC Services
1007596* - Identified Possible Ransomware File Extension Rename Activity Over Network Share
DNS Client
1010771* - DNSmasq DNSSEC Out Of Bounds Write Vulnerability (CVE-2020-25683)
Database Microsoft SQL
1010643* - Microsoft SQL Database Server Possible Login Brute Force Attempt
Directory Server LDAP
1010799 - OpenLDAP Slapd Search Parsing Integer Underflow Vulnerability (CVE-2020-36228)
FTP Server IIS
1010797 - SolarWinds Serv-U FTP Server Stored Cross-Site Scripting Vulnerability Over FTP (CVE-2020-28001)
Hot Rod Client
1009119* - Red Hat JBoss Data Grid Hot Rod Client Insecure Deserialization (CVE-2017-15089)
Memcached
1008916* - Identified Memcached Reflected UDP Traffic
Web Application Common
1010488* - Identified WordPress Database Reset Attempt
1010562* - Mantis Bug Tracker 'verify.php' Remote Password Reset Vulnerability (CVE-2017-7615)
1009310* - Microsoft Exchange Server SSRF Vulnerability (CVE-2018-16793)
Web Application PHP Based
1008858* - Identified Access To 'wp-admin' Directory
Web Server Common
1010796 - Apache Druid Remote Code Execution Vulnerability (CVE-2021-25646)
1010802 - FCKeditor Plugin Arbitrary File Upload Vulnerability (CVE-2008-6178)
1007651* - Identified Absence Of Configured CDN/Reverse Proxy HTTP Header
1010761 - PRTG Network Monitor Command Injection Vulnerability (CVE-2018-9276)
1010804 - SolarWinds Serv-U FTP Server Stored Cross-Site Scripting Vulnerability Over HTTP (CVE-2020-28001)
Web Server HTTPS
1010795* - Joomla CMS Cross-Site Scripting Vulnerability (CVE-2021-23124)
1010772* - Microsoft Exchange Remote Code Execution Vulnerability (CVE-2020-17132)
Web Server Miscellaneous
1008747* - Adobe ColdFusion RMI Registry Insecure Deserialization (CVE-2017-11284)
1008840* - Apache CouchDB '_config' Command Execution Vulnerability
Web Server Oracle
1010752* - Oracle Coherence Server T3 Protocol Insecure Deserialization Vulnerability (CVE-2020-14756)
Web Server SharePoint
1010794* - Microsoft SharePoint Workflow Deserialization Of Untrusted Data Remote Code Execution Vulnerability (CVE-2021-24066)
Zoho ManageEngine
1010774 - Identified WebNMS Framework Server Sensitive File Access (ATT&CK T1552.001)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update. - * indicates a new version of an existing rule
Deep Packet Inspection Rules:
DCERPC Services
1009801* - Microsoft Windows NTLM Elevation Of Privilege Vulnerability (CVE-2019-1040)
1008179* - Restrict File Extensions For Rename Activity Over Network Share
DNS Client
1010771 - DNSmasq DNSSEC Out Of Bounds Write Vulnerability (CVE-2020-25683)
1010784 - DNSmasq DNSSEC Out Of Bounds Write Vulnerability (CVE-2020-25687)
1010766* - Identified Non Existing DNS Resource Record (RR) Types In DNS Traffic
Database Microsoft SQL
1008759* - Microsoft SQL Server 'EXECUTE AS' Privilege Escalation Vulnerability
Directory Server LDAP
1010754* - Microsoft Windows NTLM Elevation Of Privilege Vulnerability Over LDAP (CVE-2019-1040)
Microsoft Office
1010785 - Microsoft Excel XLS File Parsing Use-After-Free Remote Code Execution Vulnerability (CVE-2021-24070)
1010786 - Microsoft Excel XLSX File Parsing Use-After-Free Remote Code Execution Vulnerability (CVE-2021-24067)
Suspicious Client Application Activity
1010741* - Identified HTTP Backdoor Python FreakOut A Runtime Detection
Suspicious Client Ransomware Activity
1010792 - Identified Cobalt Strike Default Self-signed SSL/TLS Certificate
Suspicious Server Application Activity
1008918* - Identified Memcached Amplified Reflected Response
Web Application Common
1005933* - Identified Directory Traversal Sequence In Uri Query Parameter
Web Application Ruby Based
1008574* - Ruby On Rails Development Web Console Code Execution Vulnerability (CVE-2015-3224)
Web Client Common
1010760* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-09) - 1
1010790 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-09) - 3
1010787 - Microsoft Windows Camera Codec Pack Image Processing Out-Of-Bounds Write Vulnerability (CVE-2021-24081)
1010788 - Microsoft Windows Camera Codec Pack Out-Of-Bounds Write Remote Code Execution Vulnerability (CVE-2021-24091)
1004226* - Microsoft Windows Help Centre Malformed Escape Sequences Vulnerability
1006582* - Microsoft Windows Help Centre Malformed Escape Sequences Vulnerability (CVE-2010-1885)
1010789 - Microsoft Windows WAB File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability (CVE-2021-24083)
Web Client SSL
1006296* - Detected SSLv3 Response (ATT&CK T1032)
1006298* - Identified CBC Based Cipher Suite In SSLv3 Request (ATT&CK T1032)
Web Server Apache
1010751 - Proxifier Proxy Client
Web Server Common
1010737* - CMS Made Simple 'Showtime2' Reflected Cross Site Scripting Vulnerability (CVE-2020-20138)
1010736* - Cisco Data Center Network Manager Authentication Bypass Vulnerability (CVE-2019-15977)
1010769 - Identified Kubernetes Namespace API Requests
1010477* - Java Unserialize Remote Code Execution Vulnerability - 1
Web Server HTTPS
1010795 - Joomla CMS Cross-Site Scripting Vulnerability (CVE-2021-23124)
1010772 - Microsoft Exchange Remote Code Execution Vulnerability (CVE-2020-17132)
Web Server Miscellaneous
1008610* - Block Object-Graph Navigation Language (OGNL) Expressions Initiation In Apache Struts HTTP Request
1004874* - TimThumb Plugin Remote Code Execution Vulnerability
Web Server SharePoint
1010764* - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-24072)
1010794 - Microsoft SharePoint Workflow Deserialization Of Untrusted Data Remote Code Execution Vulnerability (CVE-2021-24066)
Windows Services RPC Server DCERPC
1008479* - Identified Usage Of WMI Execute Methods - Server
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
1003631* - DNS Server - Microsoft Windows - * indicates a new version of an existing rule
Deep Packet Inspection Rules:
DCERPC Services
1009490* - Block Administrative Share - 1 (ATT&CK T1077,T1105)
1009703* - Identified Domain-Level Groups/Accounts Enumeration Over SMB (ATT&CK T1069, T1087, T1018)
1010317* - Microsoft Windows SMB Remote Code Execution Vulnerability (CVE-2020-1301)
1005448* - SMB Null Session Detected - 1
DCERPC Services - Client
1010106* - Identify Downloading Of PowerShell Scripts Through SMB Share (ATT&CK T1086)
DNS Client
1003328* - Disallow Intra-Site Automatic Tunnel Addressing Protocol
IBM WebSphere Application Server IIOP protocol
1010348* - IBM WebSphere Application Server IIOP Deserialization Vulnerabilities (CVE-2020-4449 and CVE-2020-4450)
Oracle E-Business Suite Web Interface
1010325* - Oracle E-Business Suite Advanced Outbound Telephony Calendar Cross Site Scripting Vulnerability (CVE-2020-2852)
1010360 - Oracle E-Business Suite Advanced Outbound Telephony Cross Site Scripting Vulnerability (CVE-2020-2871)
1010367 - Oracle E-Business Suite Advanced Outbound Telephony Cross-Site Scripting Vulnerability (CVE-2020-2854)
1010383 - Oracle E-Business Suite Advanced Outbound Telephony Cross-Site Scripting Vulnerability (CVE-2020-2856)
SSL/TLS Server
1010312* - Identified Suspicious TLS Request (ATT&CK T1190)
1010316* - Identified Suspicious TLS Request - 1 (ATT&CK T1190)
Suspicious Client Application Activity
1010327* - Identified Potential Malicious Client Traffic (ATT&CK T1105)
1010307* - Identified Reverse Shell Communication Over HTTPS (ATT&CK T1071)
1010306* - Identified Reverse Shell Communication Over HTTPS - 1 (ATT&CK T1071)
1010364 - Identified Reverse Shell Communication Over HTTPS - 2 (ATT&CK T1071)
1010365 - Identified Reverse Shell Communication Over HTTPS - 3 (ATT&CK T1071)
1010370 - Identified Reverse Shell Communication Over HTTPS - 4 (ATT&CK T1071)
Suspicious Server Application Activity
1010328* - Identified Potential Malicious Server Traffic (ATT&CK T1105)
Web Application Common
1010377 - Centreon 'RRDdatabase_status_path' Command Injection Vulnerability (CVE-2020-13252)
1010372 - Opmantek Open-AudIT Cross Site Scripting Vulnerability (CVE-2020-12261)
1010354 - Pandora FMS Ping Authenticated Remote Code Execution Vulnerability
1010282* - Sonatype Nexus Repository Manager Java EL Injection Remote Code Execution Vulnerability (CVE-2020-10199)
1010334* - Telerik UI For ASP.NET AJAX Insecure Deserialization Vulnerability (CVE-2019-18935)
Web Application PHP Based
1010338* - PHP-Fusion Administration Banner Stored Cross-Site Scripting Vulnerability (CVE-2020-12438)
1010359 - WordPress 'bbPress' Plugin Unauthenticated Privilege Escalation Vulnerability (CVE-2020-13693)
1010341 - Wordpress Drag and Drop Multi File Uploader Remote Code Execution Vulnerability (CVE-2020-12800)
Web Application Ruby Based
1010384 - Lodash Node Module Modification Of Assumed-Immutable Data (MAID) Vulnerability (CVE-2018-3721)
Web Client Common
1010381 - Microsoft Windows Cabinet File Remote Code Execution Vulnerability (CVE-2020-1300)
1010380 - Microsoft Windows Codecs Library Remote Code Execution Vulnerability (CVE-2020-1425)
1010379 - Microsoft Windows Codecs Library Remote Code Execution Vulnerability (CVE-2020-1457)
Web Server Common
1010162* - Cisco Data Center Network Manager Directory Traversal Vulnerability (CVE-2019-15980)
1010336 - Disallow Upload Of Linux Executable File (ATT&CK T1105)
1010388 - F5 BIG-IP TMUI Remote Code Execution Vulnerability (CVE-2020-5902)
1010323* - Gila CMS Image Upload Remote Code Execution Vulnerability (CVE-2020-5514)
1010283* - Microsoft .NET Framework Remote Code Execution Injection Vulnerability (CVE-2020-0646)
1010376 - Opmantek Open-AudIT Command Injection Vulnerability (CVE-2020-11941)
1010322* - Oracle Business Intelligence AMF Deserialization Remote Code Execution Vulnerability (CVE-2020-2950)
1010351* - vBulletin Improper Access Control Vulnerability (CVE-2020-12720)
Windows Services RPC Server DCERPC
1009615* - Identified Initialization Of WMI - Server (ATT&CK T1047)
Integrity Monitoring Rules:
1010382 - CommandLine (ATT&CK T1059)
1002779* - Microsoft Windows - System File Modified
1009618* - PowerShell (ATT&CK T1086)
1010373 - Systemd Service (ATT&CK T1501)
1010389 - Unix - Process Monitor in /tmp and /var/tmp location
Log Inspection Rules:
1002828* - Application - Secure Shell Daemon (SSHD)
1002815* - Authentication Module - Unix Pluggable Authentication Module
1002831* - Unix - Syslog - * indicates a new version of an existing rule
Deep Packet Inspection Rules:
Apache JServ Protocol
1010361 - Apache Tomcat Local File Inclusion Vulnerability (CVE-2020-1938)
1010184* - Identified Apache JServ Protocol (AJP) Traffic
DCERPC Services
1001839* - Restrict Attempt To Enumerate Windows User Accounts (ATT&CK T1087)
MQTT Server
1010357 - Eclipse Mosquitto Improper Authentication Vulnerability (CVE-2017-7650)
Suspicious Server Application Activity
1009549* - Detected Terminal Services (RDP) Server Traffic - 1 (ATT&CK T1015,T1043,T1076,T1048,T1032,T1071)
Universal Plug And Play Service
1010358 - Identified CallStranger Vulnerability in UPNP Devices (CVE-2020-12695)
Unix SSH
1008313* - Identified Many SSH Client Key Exchange Requests (ATT&CK T1110)
Web Application Common
1010252 - Sonatype Nexus Repository Manager Stored Cross-Site Scripting Vulnerability (CVE-2020-10203)
Web Client Mozilla Firefox
1010355 - Mozilla Firefox Memory Corruption Vulnerability (CVE-2017-5400)
1010356 - Mozilla Firefox Sensitive Information Disclosure Vulnerability (CVE-2017-5407)
Web Server Common
1005728* - Parameter Value Length Restriction
1010362 - VMware Cloud Director Code Injection Vulnerability (CVE-2020-3956)
1010366 - vBulletin 'widgetConfig' Unauthenticated Remote Code Execution Vulnerability (CVE-2019-16759)
Windows Remote Management Client
1010073* - WinRM Service Detected & Powershell RCE Over HTTP - Client (ATT&CK T1028)
Windows Services RPC Client DCERPC
1008477* - Identified Usage Of WMI Execute Methods - Client (ATT&CK T1047)
Integrity Monitoring Rules:
1002859* - Local Security Authority (LSA) Authentication Packages modified (ATT&CK T1174)
1010353 - Local Security Authority (LSA) Notification Packages modified (ATT&CK T1131)
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update. - * indicates a new version of an existing rule
Deep Packet Inspection Rules:
Apache Zookeeper
1010756 - Apache Zookeeper Denial Of Service Vulnerability (CVE-2017-5637)
DCERPC Services
1007596* - Identified Possible Ransomware File Extension Rename Activity Over Network Share
DNS Client
1010766 - Identified Non Existing DNS Resource Record (RR) Types In DNS Traffic
Directory Server LDAP
1010754 - Microsoft Windows NTLM Elevation Of Privilege Vulnerability Over LDAP (CVE-2019-1040)
Memcached
1010745* - Memcached 'process_bin_sasl_auth' Integer Overflow Vulnerability (CVE-2016-8706)
Suspicious Client Application Activity
1010770 - Identified UDP Trojan SSHDoor C&C Traffic
Suspicious Client Ransomware Activity
1010767 - Identified HTTP Backdoor Kobalos C&C Traffic
Suspicious Server Ransomware Activity
1010749 - Radmin Server Remote Control Session Setup (ATT&CK T1219)
Web Application Common
1010750* - Zend Framework Deserialization Remote Code Execution Vulnerability (CVE-2021-3007)
Web Client Common
1010760 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-09) - 1
1010765 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-09) - 2
1010757 - Microsoft Windows Denial Of Service Vulnerability (CVE-2006-7210)
1010768 - Microsoft Windows Embedded NTFS '$i30' Attribute Vulnerability
1010758 - Microsoft Windows Group Convertor DLL Hijacking Vulnerability (CVE-2010-3139)
Web Server Apache
1010670* - Apache Struts2 Remote Code Execution Vulnerability (CVE-2020-17530)
Web Server Common
1010737 - CMS Made Simple 'Showtime2' Reflected Cross Site Scripting Vulnerability (CVE-2020-20138)
1010736 - Cisco Data Center Network Manager Authentication Bypass Vulnerability (CVE-2019-15977)
1010762 - Identified Kubernetes API Server LoadBalancer Status Patch Request
1007185* - Java Unserialize Remote Code Execution Vulnerability
1010725* - Pi-Hole Remote Command Execution Vulnerability (CVE-2020-8816)
Web Server HTTPS
1010712* - WordPress 'Contact Form 7' Plugin Arbitrary File Upload Vulnerability (CVE-2020-35489)
Web Server Oracle
1010752* - Oracle Coherence Server T3 Protocol Insecure Deserialization Vulnerability (CVE-2020-14756)
Web Server SharePoint
1010747 - Identified Microsoft SharePoint GetRolesAndPermissionsForSite Request (ATT&CK T1589.002, T1589.003, T1087)
1010746 - Identified Microsoft SharePoint GetUserInfo Request (ATT&CK T1589.002, T1589.003, T1087)
1010764 - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-24072)
Integrity Monitoring Rules:
1009626* - Windows Accessibility Features - ImageFileExecution (ATT&CK T1015,T1183)
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update.