[Emerging-updates] [Emerging-Sigs] Out-of-Band Ruleset Update Summary 2020/07/05

Nathan nathan at packetmail.net
Mon Jul 6 04:27:01 HDT 2020


I am kind of thinking this, because the depth:20 didn't make a lot of
sense to me in a HTTP Request constrainted to HTTP URI.  Thoughts?

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT F5 TMUI RCE
vulnerability CVE-2020-5902 Attempt"; flow:established,to_server;
http.uri; content:"tmui"; http_raw_uri;
content:"|2e2e3b|"; http_raw_uri; fast_pattern; distance:0; 
metadata: former_category EXPLOIT; reference:cve,2020-5902;
reference:url,support.f5.com/csp/article/K52145254;
classtype:attempted-admin; sid:2030469; rev:4;
metadata:affected_product Web_Server_Applications, attack_target
Web_Server, deployment Perimeter, signature_severity Critical,
created_at 2020_07_05, updated_at 2020_07_06;)



On Mon, 6 Jul 2020 12:37:52 +0000
"Joel Esler (jesler)" <jesler at cisco.com> wrote:

> This rule.. won’t work.
> 
> > On Jul 5, 2020, at 1:05 PM, Nathan via Emerging-sigs
> > <emerging-sigs at lists.emergingthreats.net> wrote:
> > 
> > Got to be honest, I've always been impressed with the
> > community-first approach.  This rule could have been shuffled off
> > in a paywalled subscription-based ruleset but it went out open.
> > 
> > Looking at the rule, wowzers, and lulz...  No one should trust a
> > management interface let alone a management interface exposed to the
> > public Internet.
> > 
> > alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT F5 TMUI RCE
> > vulnerability CVE-2020-5902 Attempt"; flow:established,to_server;
> > http.uri; content:"/tmui/login.jsp/..|3b|/"; depth:20; metadata:
> > former_category EXPLOIT; reference:cve,2020-5902;
> > reference:url,support.f5.com/csp/article/K52145254;
> > classtype:attempted-admin; sid:2030469; rev:3;
> > metadata:affected_product Web_Server_Applications, attack_target
> > Web_Server, deployment Perimeter, signature_severity Critical,
> > created_at 2020_07_05, updated_at 2020_07_05;)
> > 
> > I can't remember if http.uri is normalized or not so I might would
> > try something like:
> > 
> > content:"tmui"; http_raw_uri; content:"|2e2e3b|"; http_raw_uri;
> > distance:0;
> > 
> > Thoughts?
> > 
> > On Sun, 5 Jul 2020 06:29:39 -0600
> > Jason Williams <jwilliams at emergingthreats.net> wrote:
> >   
> >> [***]            Summary:            [***]
> >> 
> >>  Out-of-band ruleset update for CVE-2020-5902 Exploit
> >> 
> >>  Please share issues, feedback, and requests at
> >> https://feedback.emergingthreats.net/feedback
> >> 
> >> [+++]          Added rules:          [+++]
> >> 
> >> Open:
> >> 
> >>  2030469 - ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902
> >> Attempt (exploit.rules)  
> > 
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at lists.emergingthreats.net
> > https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> > 
> > Support Emerging Threats! Subscribe to Emerging Threats Pro
> > http://www.emergingthreats.net 
> 



More information about the Emerging-updates mailing list