Rule Update
21-003 (January 19, 2021)
DESCRIPTION
* indicates a new version of an existing rule
Deep Packet Inspection Rules:
CA ARCserve D2D Administration Interface
1010699 - Arcserve D2D External Entity Injection Vulnerability (CVE-2020-27858)
DNS Server
1010633* - Identified DNS Trojan.Linux.Anchor.A Traffic
1010632* - Identified DNS Trojan.Win64.Anchor.A Traffic
Directory Server LDAP
1010301* - Samba LDAP Server Denial Of Service Vulnerability (CVE-2020-10704)
Suspicious Client Ransomware Activity
1010597* - Identified HTTP Cobalt Strike Malleable C&C Traffic Response (Office 365 Calendar Profile)
1010596* - Identified HTTP Cobalt Strike Malleable C&C Traffic Response (YouTube Profile)
1010617* - Identified TLS Cobalt Strike Beacon (Certificate)
Suspicious Server Ransomware Activity
1010638* - Identified FTP Backdoor.Win32.Qbot.JINX Runtime Detection
Trend Micro OfficeScan
1010708* - Trend Micro OfficeScan Multiple Information Disclosure Vulnerabilities (CVE-2020-28582 and CVE-2020-28583)
Web Application Common
1000552* - Generic Cross Site Scripting(XSS) Prevention
1010727 - Mongo-Express Remote Code Execution Vulnerability (CVE-2019-10758)
Web Application Tomcat
1010688* - Apache Tomcat Remote Code Execution Vulnerability (CVE-2017-12617)
Web Client Common
1009779* - Microsoft Windows Multiple Security Vulnerabilities (June-2019)
1010716 - XStream Library Insecure Deserialization Vulnerability (CVE-2020-26217)
Web Server Apache
1010400* - Apache Httpd Mod Rewrite Open Redirects Vulnerability (CVE-2019-10098)
1010670* - Apache Struts2 Remote Code Execution Vulnerability (CVE-2020-17530)
Web Server Common
1010734 - Identified BumbleBee Webshell Traffic Over HTTP
1010477* - Java Unserialize Remote Code Execution Vulnerability - 1
Web Server HTTPS
1010718 - Joomla CMS 'mod_random_image' Stored Cross-Site Scripting Vulnerability (CVE-2020-15696)
1009968* - Multiple HTTP/2 Server Denial Of Service Vulnerability (CVE-2019-9513)
1009998* - Multiple HTTP/2 Server Denial Of Service Vulnerability (CVE-2019-9511)
1009944* - Multiple HTTP/2 Server Denial Of Service Vulnerability (CVE-2019-9512)
1010712 - WordPress 'Contact Form 7' Plugin Arbitrary File Upload Vulnerability (CVE-2020-35489)
Web Server Miscellaneous
1010662* - Atlassian Jira Information Disclosure Vulnerability (CVE-2020-14181)
1010679 - SolarWinds Network Performance Monitor 'ExportToPDF' Information Disclosure Vulnerability (CVE-2020-27870)
1010678 - SolarWinds Network Performance Monitor 'VulnerabilitySettings' Directory Traversal Vulnerability (CVE-2020-27871)
1010677 - SolarWinds Network Performance Monitor 'WriteToFile' SQL Injection Vulnerability (CVE-2020-27869)
1010717* - SolarWinds Orion Platform Authentication Bypass Vulnerability (CVE-2020-10148)
Web Server Nagios
1010696* - Nagios XI SNMP Trap SQL Injection Vulnerability
Web Server RealVNC
1010726 - LibVNCServer Denial Of Service Vulnerability (CVE-2020-25708)
Web Server SharePoint
1010702* - Microsoft SharePoint Authenticated Remote Code Execution Vulnerability (CVE-2021-1707)
1010707* - Microsoft SharePoint Remote Code Execution Vulnerability (CVE-2020-0971)
Webmin
1010704* - Webmin Arbitrary Remote Command Execution Vulnerability (CVE-2020-35606)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update.
Deep Packet Inspection Rules:
CA ARCserve D2D Administration Interface
1010699 - Arcserve D2D External Entity Injection Vulnerability (CVE-2020-27858)
DNS Server
1010633* - Identified DNS Trojan.Linux.Anchor.A Traffic
1010632* - Identified DNS Trojan.Win64.Anchor.A Traffic
Directory Server LDAP
1010301* - Samba LDAP Server Denial Of Service Vulnerability (CVE-2020-10704)
Suspicious Client Ransomware Activity
1010597* - Identified HTTP Cobalt Strike Malleable C&C Traffic Response (Office 365 Calendar Profile)
1010596* - Identified HTTP Cobalt Strike Malleable C&C Traffic Response (YouTube Profile)
1010617* - Identified TLS Cobalt Strike Beacon (Certificate)
Suspicious Server Ransomware Activity
1010638* - Identified FTP Backdoor.Win32.Qbot.JINX Runtime Detection
Trend Micro OfficeScan
1010708* - Trend Micro OfficeScan Multiple Information Disclosure Vulnerabilities (CVE-2020-28582 and CVE-2020-28583)
Web Application Common
1000552* - Generic Cross Site Scripting(XSS) Prevention
1010727 - Mongo-Express Remote Code Execution Vulnerability (CVE-2019-10758)
Web Application Tomcat
1010688* - Apache Tomcat Remote Code Execution Vulnerability (CVE-2017-12617)
Web Client Common
1009779* - Microsoft Windows Multiple Security Vulnerabilities (June-2019)
1010716 - XStream Library Insecure Deserialization Vulnerability (CVE-2020-26217)
Web Server Apache
1010400* - Apache Httpd Mod Rewrite Open Redirects Vulnerability (CVE-2019-10098)
1010670* - Apache Struts2 Remote Code Execution Vulnerability (CVE-2020-17530)
Web Server Common
1010734 - Identified BumbleBee Webshell Traffic Over HTTP
1010477* - Java Unserialize Remote Code Execution Vulnerability - 1
Web Server HTTPS
1010718 - Joomla CMS 'mod_random_image' Stored Cross-Site Scripting Vulnerability (CVE-2020-15696)
1009968* - Multiple HTTP/2 Server Denial Of Service Vulnerability (CVE-2019-9513)
1009998* - Multiple HTTP/2 Server Denial Of Service Vulnerability (CVE-2019-9511)
1009944* - Multiple HTTP/2 Server Denial Of Service Vulnerability (CVE-2019-9512)
1010712 - WordPress 'Contact Form 7' Plugin Arbitrary File Upload Vulnerability (CVE-2020-35489)
Web Server Miscellaneous
1010662* - Atlassian Jira Information Disclosure Vulnerability (CVE-2020-14181)
1010679 - SolarWinds Network Performance Monitor 'ExportToPDF' Information Disclosure Vulnerability (CVE-2020-27870)
1010678 - SolarWinds Network Performance Monitor 'VulnerabilitySettings' Directory Traversal Vulnerability (CVE-2020-27871)
1010677 - SolarWinds Network Performance Monitor 'WriteToFile' SQL Injection Vulnerability (CVE-2020-27869)
1010717* - SolarWinds Orion Platform Authentication Bypass Vulnerability (CVE-2020-10148)
Web Server Nagios
1010696* - Nagios XI SNMP Trap SQL Injection Vulnerability
Web Server RealVNC
1010726 - LibVNCServer Denial Of Service Vulnerability (CVE-2020-25708)
Web Server SharePoint
1010702* - Microsoft SharePoint Authenticated Remote Code Execution Vulnerability (CVE-2021-1707)
1010707* - Microsoft SharePoint Remote Code Execution Vulnerability (CVE-2020-0971)
Webmin
1010704* - Webmin Arbitrary Remote Command Execution Vulnerability (CVE-2020-35606)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update.
Featured Stories
Unveiling AI Agent Vulnerabilities Part V: Securing LLM ServicesTo conclude our series on agentic AI, this article examines emerging vulnerabilities that threaten AI agents, focusing on providing proactive security recommendations on areas such as code execution, data exfiltration, and database access.Read more
Unveiling AI Agent Vulnerabilities Part IV: Database Access VulnerabilitiesHow can attackers exploit weaknesses in database-enabled AI agents? This research explores how SQL generation vulnerabilities, stored prompt injection, and vector store poisoning can be weaponized by attackers for fraudulent activities.Read more
The Mirage of AI Programming: Hallucinations and Code IntegrityThe adoption of large language models (LLMs) and Generative Pre-trained Transformers (GPTs), such as ChatGPT, by leading firms like Microsoft, Nuance, Mix and Google CCAI Insights, drives the industry towards a series of transformative changes. As the use of these new technologies becomes prevalent, it is important to understand their key behavior, advantages, and the risks they present.Read more
Open RAN: Attack of the xAppsThis article discusses two O-RAN vulnerabilities that attackers can exploit. One vulnerability stems from insufficient access control, and the other arises from faulty message handlingRead more