Rule Update
19-046 (September 10, 2019)
DESCRIPTION
* indicates a new version of an existing rule
Deep Packet Inspection Rules:
Asterisk RTP Protocol
1009953 - Digium Asterisk PJSIP In-Dialog MESSAGE Request Denial-of-Service (CVE-2019-12827)
DCERPC Services
1003292* - Block Conficker.B Worm Incoming Named Pipe Connection
DCERPC Services - Client
1003293* - Block Conficker.B Worm Outgoing Named Pipe Connection
DNS Client
1008203* - DNSMessenger Malware C&C Traffic Over DNS Protocol
HP Intelligent Management Center (IMC)
1009962 - HPE Intelligent Management Center 'IctTableExportToCSVBean' Expression Language Injection Vulnerability (CVE-2019-5370)
1009956 - HPE Intelligent Management Center 'PlatNavigationToBean' URL Expression Language Injection Vulnerability (CVE-2019-5387)
1009902 - HPE Intelligent Management Center 'perfSelectTask' Expression Language Injection Vulnerability (CVE-2019-5385)
1009947* - HPE Intelligent Management Center Multiple Expression Language Injection Vulnerabilities (CVE-2019-11941 and CVE-2019-11943)
HP Intelligent Management Center Dbman
1009959 - HPE Intelligent Management Center 'dbman' Opcode Denial Of Service Vulnerability (CVE-2018-7123)
MS-RDPEUDP2
1009940* - Microsoft Windows RDP Server Information Disclosure Vulnerability (CVE-2019-1224)
1009941* - Microsoft Windows RDP Server Information Disclosure Vulnerability (CVE-2019-1225)
Redis Server
1009949* - Redis Integer Overflow Vulnerability (CVE-2018-11219)
Remote Desktop Protocol Server
1009448* - Microsoft Windows Remote Desktop Protocol (RDP) Brute Force Attempt
SSL Client
1007384* - TLS1.2 Signature Hash Algorithm Downgrade Attack Used In SLOTH - Client
SSL/TLS Server
1007379* - TLS1.2 Signature Hash Algorithm Downgrade Attack Used In SLOTH - Server
Suspicious Server Application Activity
1008492* - Identified SambaShell C&C Traffic
1005910* - Identified ntpd 'monlist' Query Reflected Denial Of Service Attack
Web Application Common
1009594* - Apache httpd 'mod_md' Null Pointer Dereference Vulnerability (CVE-2018-8011)
1009946* - Atlassian JIRA Template Injection Remote Code Execution Vulnerability (CVE-2019-11581)
1006823* - Identified Suspicious Command Injection Attack - 1
1009966 - ImageMagick Out-Of-Bounds Access Vulnerability (CVE-2019-10714) - 1
1002684* - Mass Hack Script Insertion Attack
1002433* - Mass SQL Injection Script Insertion Attack
1002743* - Mass SQL Injection Script Insertion Attack 2
Web Client Common
1009972 - Adobe Flash Player Same Origin Bypass Vulnerability (CVE-2019-8069)
1009973 - Adobe Flash Player Use After Free Vulnerability (CVE-2019-8070)
1004315* - Identified Malicious PDF Document - 3
1004305* - Identified Suspicious Compiled HTML(chm) File
1009965 - ImageMagick Out-Of-Bounds Access Vulnerability (CVE-2019-10714)
1002144* - JavaScript IFRAME Redirect Script Insertion Vulnerability
1002048* - JavaScript Redirect Script Insertion Vulnerability
1003693* - Mass Compromise Using Malicious iFrame
1002519* - Storm Botnet Redirect Script Insertion Vulnerability
Web Server Adobe ColdFusion
1009893* - Adobe ColdFusion CFFILE Upload Action Unrestricted File Upload Vulnerability (CVE-2019-7816)
Web Server Apache
1009963 - Apache httpd 'mod_remoteip' Buffer Overflow Vulnerability (CVE-2019-10097)
Web Server Common
1009889* - Atlassian Crowd Remote Code Execution Vulnerability (CVE-2019-11580)
1007872* - HTTP Proxy Header Injection Vulnerabilities
1000193* - Null Byte Path Traversal Vulnerability
Web Server HTTPS
1009944* - Microsoft Windows HTTP/2 Server Denial Of Service Vulnerability (CVE-2019-9512)
Web Server SharePoint
1009971 - Microsoft SharePoint Multiple Remote Code Execution Vulnerabilities (Sep-2019)
Web Server Squid
1009943* - Squid Proxy HttpHeader 'getAuth' Heap Buffer Overflow Vulnerability (CVE-2019-12527)
Windows Services RPC Server DCERPC
1009604* - Identified Usage Of WMI Execute Methods - Server - 1 (ATT&CK T1047)
Zoho ManageEngine
1009950* - Zoho ManageEngine OpManager Authenticated Code Execution Vulnerability
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update.
Deep Packet Inspection Rules:
Asterisk RTP Protocol
1009953 - Digium Asterisk PJSIP In-Dialog MESSAGE Request Denial-of-Service (CVE-2019-12827)
DCERPC Services
1003292* - Block Conficker.B Worm Incoming Named Pipe Connection
DCERPC Services - Client
1003293* - Block Conficker.B Worm Outgoing Named Pipe Connection
DNS Client
1008203* - DNSMessenger Malware C&C Traffic Over DNS Protocol
HP Intelligent Management Center (IMC)
1009962 - HPE Intelligent Management Center 'IctTableExportToCSVBean' Expression Language Injection Vulnerability (CVE-2019-5370)
1009956 - HPE Intelligent Management Center 'PlatNavigationToBean' URL Expression Language Injection Vulnerability (CVE-2019-5387)
1009902 - HPE Intelligent Management Center 'perfSelectTask' Expression Language Injection Vulnerability (CVE-2019-5385)
1009947* - HPE Intelligent Management Center Multiple Expression Language Injection Vulnerabilities (CVE-2019-11941 and CVE-2019-11943)
HP Intelligent Management Center Dbman
1009959 - HPE Intelligent Management Center 'dbman' Opcode Denial Of Service Vulnerability (CVE-2018-7123)
MS-RDPEUDP2
1009940* - Microsoft Windows RDP Server Information Disclosure Vulnerability (CVE-2019-1224)
1009941* - Microsoft Windows RDP Server Information Disclosure Vulnerability (CVE-2019-1225)
Redis Server
1009949* - Redis Integer Overflow Vulnerability (CVE-2018-11219)
Remote Desktop Protocol Server
1009448* - Microsoft Windows Remote Desktop Protocol (RDP) Brute Force Attempt
SSL Client
1007384* - TLS1.2 Signature Hash Algorithm Downgrade Attack Used In SLOTH - Client
SSL/TLS Server
1007379* - TLS1.2 Signature Hash Algorithm Downgrade Attack Used In SLOTH - Server
Suspicious Server Application Activity
1008492* - Identified SambaShell C&C Traffic
1005910* - Identified ntpd 'monlist' Query Reflected Denial Of Service Attack
Web Application Common
1009594* - Apache httpd 'mod_md' Null Pointer Dereference Vulnerability (CVE-2018-8011)
1009946* - Atlassian JIRA Template Injection Remote Code Execution Vulnerability (CVE-2019-11581)
1006823* - Identified Suspicious Command Injection Attack - 1
1009966 - ImageMagick Out-Of-Bounds Access Vulnerability (CVE-2019-10714) - 1
1002684* - Mass Hack Script Insertion Attack
1002433* - Mass SQL Injection Script Insertion Attack
1002743* - Mass SQL Injection Script Insertion Attack 2
Web Client Common
1009972 - Adobe Flash Player Same Origin Bypass Vulnerability (CVE-2019-8069)
1009973 - Adobe Flash Player Use After Free Vulnerability (CVE-2019-8070)
1004315* - Identified Malicious PDF Document - 3
1004305* - Identified Suspicious Compiled HTML(chm) File
1009965 - ImageMagick Out-Of-Bounds Access Vulnerability (CVE-2019-10714)
1002144* - JavaScript IFRAME Redirect Script Insertion Vulnerability
1002048* - JavaScript Redirect Script Insertion Vulnerability
1003693* - Mass Compromise Using Malicious iFrame
1002519* - Storm Botnet Redirect Script Insertion Vulnerability
Web Server Adobe ColdFusion
1009893* - Adobe ColdFusion CFFILE Upload Action Unrestricted File Upload Vulnerability (CVE-2019-7816)
Web Server Apache
1009963 - Apache httpd 'mod_remoteip' Buffer Overflow Vulnerability (CVE-2019-10097)
Web Server Common
1009889* - Atlassian Crowd Remote Code Execution Vulnerability (CVE-2019-11580)
1007872* - HTTP Proxy Header Injection Vulnerabilities
1000193* - Null Byte Path Traversal Vulnerability
Web Server HTTPS
1009944* - Microsoft Windows HTTP/2 Server Denial Of Service Vulnerability (CVE-2019-9512)
Web Server SharePoint
1009971 - Microsoft SharePoint Multiple Remote Code Execution Vulnerabilities (Sep-2019)
Web Server Squid
1009943* - Squid Proxy HttpHeader 'getAuth' Heap Buffer Overflow Vulnerability (CVE-2019-12527)
Windows Services RPC Server DCERPC
1009604* - Identified Usage Of WMI Execute Methods - Server - 1 (ATT&CK T1047)
Zoho ManageEngine
1009950* - Zoho ManageEngine OpManager Authenticated Code Execution Vulnerability
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update.
Featured Stories
Unveiling AI Agent Vulnerabilities Part V: Securing LLM ServicesTo conclude our series on agentic AI, this article examines emerging vulnerabilities that threaten AI agents, focusing on providing proactive security recommendations on areas such as code execution, data exfiltration, and database access.Read more
Unveiling AI Agent Vulnerabilities Part IV: Database Access VulnerabilitiesHow can attackers exploit weaknesses in database-enabled AI agents? This research explores how SQL generation vulnerabilities, stored prompt injection, and vector store poisoning can be weaponized by attackers for fraudulent activities.Read more
The Mirage of AI Programming: Hallucinations and Code IntegrityThe adoption of large language models (LLMs) and Generative Pre-trained Transformers (GPTs), such as ChatGPT, by leading firms like Microsoft, Nuance, Mix and Google CCAI Insights, drives the industry towards a series of transformative changes. As the use of these new technologies becomes prevalent, it is important to understand their key behavior, advantages, and the risks they present.Read more
Open RAN: Attack of the xAppsThis article discusses two O-RAN vulnerabilities that attackers can exploit. One vulnerability stems from insufficient access control, and the other arises from faulty message handlingRead more