[Emerging-updates] [Emerging-Sigs] Out-of-Band Ruleset Update Summary 2020/07/05

Jason Williams jwilliams at emergingthreats.net
Mon Jul 6 04:41:35 HDT 2020


It just means that the first 20 bytes of the http_uri buffer contain that content. That’s something we do regularly and I haven’t seen any PoC uri that has contained different so far. We will discuss this today, could probably open up the ports to include more that just external.

> On Jul 6, 2020, at 07:26, Nathan <nathan at packetmail.net> wrote:
> 
> I am kind of thinking this, because the depth:20 didn't make a lot of
> sense to me in a HTTP Request constrainted to HTTP URI.  Thoughts?
> 
> alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT F5 TMUI RCE
> vulnerability CVE-2020-5902 Attempt"; flow:established,to_server;
> http.uri; content:"tmui"; http_raw_uri;
> content:"|2e2e3b|"; http_raw_uri; fast_pattern; distance:0; 
> metadata: former_category EXPLOIT; reference:cve,2020-5902;
> reference:url,support.f5.com/csp/article/K52145254;
> classtype:attempted-admin; sid:2030469; rev:4;
> metadata:affected_product Web_Server_Applications, attack_target
> Web_Server, deployment Perimeter, signature_severity Critical,
> created_at 2020_07_05, updated_at 2020_07_06;)
> 
> 
> 
>> On Mon, 6 Jul 2020 12:37:52 +0000
>> "Joel Esler (jesler)" <jesler at cisco.com> wrote:
>> 
>> This rule.. won’t work.
>> 
>>> On Jul 5, 2020, at 1:05 PM, Nathan via Emerging-sigs
>>> <emerging-sigs at lists.emergingthreats.net> wrote:
>>> 
>>> Got to be honest, I've always been impressed with the
>>> community-first approach.  This rule could have been shuffled off
>>> in a paywalled subscription-based ruleset but it went out open.
>>> 
>>> Looking at the rule, wowzers, and lulz...  No one should trust a
>>> management interface let alone a management interface exposed to the
>>> public Internet.
>>> 
>>> alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT F5 TMUI RCE
>>> vulnerability CVE-2020-5902 Attempt"; flow:established,to_server;
>>> http.uri; content:"/tmui/login.jsp/..|3b|/"; depth:20; metadata:
>>> former_category EXPLOIT; reference:cve,2020-5902;
>>> reference:url,support.f5.com/csp/article/K52145254;
>>> classtype:attempted-admin; sid:2030469; rev:3;
>>> metadata:affected_product Web_Server_Applications, attack_target
>>> Web_Server, deployment Perimeter, signature_severity Critical,
>>> created_at 2020_07_05, updated_at 2020_07_05;)
>>> 
>>> I can't remember if http.uri is normalized or not so I might would
>>> try something like:
>>> 
>>> content:"tmui"; http_raw_uri; content:"|2e2e3b|"; http_raw_uri;
>>> distance:0;
>>> 
>>> Thoughts?
>>> 
>>> On Sun, 5 Jul 2020 06:29:39 -0600
>>> Jason Williams <jwilliams at emergingthreats.net> wrote:
>>> 
>>>> [***]            Summary:            [***]
>>>> 
>>>> Out-of-band ruleset update for CVE-2020-5902 Exploit
>>>> 
>>>> Please share issues, feedback, and requests at
>>>> https://feedback.emergingthreats.net/feedback
>>>> 
>>>> [+++]          Added rules:          [+++]
>>>> 
>>>> Open:
>>>> 
>>>> 2030469 - ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902
>>>> Attempt (exploit.rules)  
>>> 
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at lists.emergingthreats.net
>>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>> 
>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>> http://www.emergingthreats.net 
>> 
> 


More information about the Emerging-updates mailing list