[Emerging-updates] [Emerging-Sigs] Out-of-Band Ruleset Update Summary 2020/07/05

Nathan nathan at packetmail.net
Sun Jul 5 08:05:11 HDT 2020


Got to be honest, I've always been impressed with the community-first
approach.  This rule could have been shuffled off in a paywalled
subscription-based ruleset but it went out open.

Looking at the rule, wowzers, and lulz...  No one should trust a
management interface let alone a management interface exposed to the
public Internet.

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT F5 TMUI RCE
vulnerability CVE-2020-5902 Attempt"; flow:established,to_server;
http.uri; content:"/tmui/login.jsp/..|3b|/"; depth:20; metadata:
former_category EXPLOIT; reference:cve,2020-5902;
reference:url,support.f5.com/csp/article/K52145254;
classtype:attempted-admin; sid:2030469; rev:3;
metadata:affected_product Web_Server_Applications, attack_target
Web_Server, deployment Perimeter, signature_severity Critical,
created_at 2020_07_05, updated_at 2020_07_05;)

I can't remember if http.uri is normalized or not so I might would try
something like:

content:"tmui"; http_raw_uri; content:"|2e2e3b|"; http_raw_uri;
distance:0;

Thoughts?

On Sun, 5 Jul 2020 06:29:39 -0600
Jason Williams <jwilliams at emergingthreats.net> wrote:

> [***]            Summary:            [***]
> 
>   Out-of-band ruleset update for CVE-2020-5902 Exploit
> 
>   Please share issues, feedback, and requests at
> https://feedback.emergingthreats.net/feedback
> 
> [+++]          Added rules:          [+++]
> 
>  Open:
> 
>   2030469 - ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902 Attempt
> (exploit.rules)



More information about the Emerging-updates mailing list