[Emerging-updates] [Emerging-Sigs] Out-of-Band Ruleset Update Summary 2020/07/05

Joel Esler (jesler) jesler at cisco.com
Mon Jul 6 03:37:52 HDT 2020


This rule.. won’t work.

> On Jul 5, 2020, at 1:05 PM, Nathan via Emerging-sigs <emerging-sigs at lists.emergingthreats.net> wrote:
> 
> Got to be honest, I've always been impressed with the community-first
> approach.  This rule could have been shuffled off in a paywalled
> subscription-based ruleset but it went out open.
> 
> Looking at the rule, wowzers, and lulz...  No one should trust a
> management interface let alone a management interface exposed to the
> public Internet.
> 
> alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT F5 TMUI RCE
> vulnerability CVE-2020-5902 Attempt"; flow:established,to_server;
> http.uri; content:"/tmui/login.jsp/..|3b|/"; depth:20; metadata:
> former_category EXPLOIT; reference:cve,2020-5902;
> reference:url,support.f5.com/csp/article/K52145254;
> classtype:attempted-admin; sid:2030469; rev:3;
> metadata:affected_product Web_Server_Applications, attack_target
> Web_Server, deployment Perimeter, signature_severity Critical,
> created_at 2020_07_05, updated_at 2020_07_05;)
> 
> I can't remember if http.uri is normalized or not so I might would try
> something like:
> 
> content:"tmui"; http_raw_uri; content:"|2e2e3b|"; http_raw_uri;
> distance:0;
> 
> Thoughts?
> 
> On Sun, 5 Jul 2020 06:29:39 -0600
> Jason Williams <jwilliams at emergingthreats.net> wrote:
> 
>> [***]            Summary:            [***]
>> 
>>  Out-of-band ruleset update for CVE-2020-5902 Exploit
>> 
>>  Please share issues, feedback, and requests at
>> https://feedback.emergingthreats.net/feedback
>> 
>> [+++]          Added rules:          [+++]
>> 
>> Open:
>> 
>>  2030469 - ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902 Attempt
>> (exploit.rules)
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3010 bytes
Desc: not available
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20200706/b44078d6/attachment-0001.bin>


More information about the Emerging-updates mailing list