F5 Distributed Cloud Security Details Changelog

f5_title

Attack Signatures Changelog

Summary:
This event is generated when an unclassified Application Attack is detected. This is a general detection signature (i.e. it is not specific to any web application).

--
Impact:
Successful exploitation may result in information disclosure or system integrity compromise. Possible unauthorized administrative access to the server or application can result. Possible execution of arbitrary code of the attacker's choosing can result.

--
Detailed Information:
This event is generated when an unclassified Application Attack is detected.  

--
Affected Systems:
All systems.

--
Attack Scenarios:
There are many possible.

--
Ease of Attack:
Simple to medium.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. 
Utilize "Positive Security Model" by accepting only known types of input in web application.

--
Additional References:



--


HTTP Headers Injection (Parameter)

Summary:
This event is generated when an attempt is made to exploit a Cross Site Scripting (XSS) vulnerability. This is a general attack detection signature (i.e. it is not specific to any web application).

Impact:
Successful exploitation will result in information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application can result. Possible execution of arbitrary code of the attacker's choosing can result.

Detailed Information:
This event indicates that an attempt has been made to exploit a Cross Site Scripting vulnerability in an application running on a webserver.Cross Site Scripting (XSS) occurs when a web application doesn't sanitize user-supplied input and places it directly into the page returned to the user. Usually the attacker will submit malicious JavaScript, VBScript, ActiveX, HTML, or Flash code to the vulnerable web site.

Affected Systems:
All systems that accept user input are potentially affected.

Attack Scenarios:
An attacker can supply a malicious link designed to steal information from a user clicking on that link.

Ease Of Attack:
Vary from simple to medium.

False Positives:
Some applications send various script code to the web server as legitimate input.Some free-text user input may match Cross Site Scripting signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://en.wikipedia.org/wiki/Cross_site_scripting
http://www.cgisecurity.com/articles/xss-faq.shtml



= alert; (Parameter)

= alert; (Header)

Summary:
This event is generated when an attempt is made to remotely execute an OS command. This is a general attack detection signature (i.e. it is not specific to any web application, but is dependent on the webserver Operating System).

Impact:
Serious. Execution of arbitrary commands may be possible.

Detailed Information:
Web application could be tricked to execute operating system command if user supplied input isn't properly checked. This event indicates that an attempt has been made to inject an operating system command from a remote machine via unvalidated input of web application.

Affected Systems:
All systems.

Attack Scenarios:
There are many possible.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://www.webappsec.org/projects/threat/classes/os_commanding.shtml



Cisco ISE ERS API Command Execution

Summary:
This event is generated when an attempt is made to inject LDAP statements to the vulnerable web application. This is a general attack detection signature (i.e. it is not specific to any web application).

Impact:
Serious. Successful exploitation will result in information gathering and system integrity compromise. Possible modification of LDAP tree.

Detailed Information:
This event indicates that an attempt has been made to inject LDAP statement. If user supplied input is not correctly sanitized the attacker could change LDAP statement construction.

Affected Systems:
All systems with LDAP connectivity are potentially affected.

Attack Scenarios:
An attacker can inject LDAP queries to the backend LDAP server for an application if user input is not correctly sanitized or checked before passing that input to the LDAP server.

Ease Of Attack:
Simple to medium.

False Positives:
Some free-text user input may match LDAP Injection signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.



Generic LDAP Authentication Bypass (1)

Generic LDAP Authentication Bypass (2)

Summary:
This event is generated when an attempt is made to execute a Path Traversal attack. This is a general attack detection signature (i.e. it is not specific to any web application).

Impact:
Information disclosure. This is a directory traversal attempt which canlead to information disclosure and possible exposure of sensitivesystem information.

Detailed Information:
Directory traversal attacks usually target web servers, web applications and ftp servers that do not correctly check the path to a file when requested bythe client. This can lead to the disclosure of sensitive system information which maybe used by an attacker to further compromise the system.

Affected Systems:
All systems.

Attack Scenarios:
There are many possible.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://www.webappsec.org/projects/threat/classes/path_traversal.shtml



Node.js Path Traversal (Parameter)

Node.js Path Traversal (Header)

Summary:
This event is generated when an attempt is made to obtain sensitive information or a leakage has been detected. This is a general detection signature (i.e. it is not specific to any web application).

Impact:
Information disclosure. The information may be sensitive itself (e.g. credit card numbers) or  may aid the attacker to mount a more dangerous attack (e.g. user or system passwords).

Detailed Information:
Sensitive information may be present within HTML comments, error messages, source code, or simply left in files which are accessible by remote clients.This can lead to the disclosure of sensitive system information which maybe used by an attacker to further compromise the system.

Affected Systems:
All systems.

Attack Scenarios:
There are many possible.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://www.webappsec.org/projects/threat/classes/information_leakage.shtml



Wing FTP Server Path Disclosure

Summary:
This event is generated when an attempt is made to access hidden web site content or functionality. This is a general detection signature (i.e. it is not specific to any web application).

Impact:
Information disclosure. This may aid the attacker to mount a more dangerous attack.

Detailed Information:
By making educated guesses, the attacker could discover hidden web site content and functionality, such as configuration, temporary, backup or sample files.This can lead to the disclosure of sensitive system information which maybe used by an attacker to further compromise the system.

Affected Systems:
All systems.

Attack Scenarios:
An attacker can search the web site for known sample files or files with .tmp, .bak and other extensions or attempt to access administrative pages or directories.

Ease Of Attack:
Simple.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Restrict access to sensitive files and nonpublic web server functionality. Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://www.webappsec.org/projects/threat/classes/predictable_resource_location.shtml



DOMPDF Information Disclosure

Summary:
This event is generated when an attempt is made to trigger Buffer Overflow. This is a general detection signature (i.e. it is not specific to any web application).

Impact:
Vary from information gathering to web server compromise.

Detailed Information:
Buffer Overflow could be triggered when data written to memory exceeds the allocated size of the buffer for that data.

Affected Systems:
All systems.

Attack Scenarios:
There are many possible.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://www.webappsec.org/projects/threat/classes/buffer_overflow.shtml



SonicWall Stack-Based Buffer Overflow

SonicWall Heap-Based Buffer Overflow

Summary:
This event is generated when an attempt is made to bypass an Authentication or Authorization restrictions. This is a general detection signature (i.e. it is not specific to any web application).

Impact:
Vary from information gathering to web server compromise.

Detailed Information:
Authentication/Authorization Attacks occurs when a web site permits an attacker to access sensitive content or functionality without having to properly authenticate or authorize for that resource.

Affected Systems:
All systems.

Attack Scenarios:
There are many possible.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://www.webappsec.org/projects/threat/classes/insufficient_authentication.shtml
http://www.webappsec.org/projects/threat/classes/insufficient_authorization.shtml



Eventin WordPress Plugin Privilege Escalation

RevPi Webstatus Authentication Bypass

Summary:
This event is generated when an unclassified Application Attack is detected. This is a general detection signature (i.e. it is not specific to any web application).

Impact:
Successful exploitation may result in information disclosure or system integrity compromise. Possible unauthorized administrative access to the server or application can result. Possible execution of arbitrary code of the attacker's choosing can result.

Detailed Information:
This event is generated when an unclassified Application Attack is detected.

Affected Systems:
All systems.

Attack Scenarios:
There are many possible.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.



form_data.Js HTTP Parameter Pollution

Summary:
This event is triggered when an attempt is made to upload a malicious file.

Impact:
Vary from information gathering to web server compromise.

Detailed Information:
This event is triggered when an attempt is made to upload a malicious file.

Affected Systems:
All systems.

Attack Scenarios:
There are many possible.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.



WordPress HT Contact Form Arbitrary File Upload

Summary:
This event is generated when an attempt is made to exploit an SQL-Injection vulnerability. This is a general attack detection signature (i.e. it is not specific to any database or web application).

Impact:
Successful exploitation will result in information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application can result. Possible execution of arbitrary code of the attacker's choosing can result.

Detailed Information:
SQL-Injection occurs when a web application doesn't sanitize user-supplied input and places it directly into the SQL statement. This event indicates that an attempt has been made by the client to inject SQL code into the application.

Affected Systems:
All systems with database connectivity are potentially affected.

Attack Scenarios:
An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.

Ease Of Attack:
Vary from simple to medium.

False Positives:
Some applications send SQL statements to the web server as legitimate input. Some free-text user input may match SQL-Injection signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://www.webappsec.org/projects/threat/classes/sql_injection.shtml



Ektron CMS400.NET SQLi

JEHC-BPM RCE

CentOS Web Panel Remote Code Execution

Ray Framework RCE

Unix/Linux "readlink" execution attempt (Parameter)

Unix/Linux "readlink" execution attempt (Header)

Unix/Linux "readlink" execution attempt (URI)

Summary:
This event is generated when an attempt is made to inject Server-side Include code. This is a general attack detection signature (i.e. it is not specific to any web application).

Impact:
Serious. Execution of arbitrary commands may be possible.

Detailed Information:
This event indicates that an attempt has been made to inject Server-side Include (SSI) code. SSI Injection allows to attacker to send server side code that could be executed locally by the web server.

Affected Systems:
All systems.

Attack Scenarios:
There are many possible.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://www.webappsec.org/projects/threat/classes/ssi_injection.shtml



SugarCRM LESS Code Injection

Summary:
This event is generated when an attempt is made to exploit a Cross Site Scripting (XSS) vulnerability. This is a general attack detection signature (i.e. it is not specific to any web application).

--
Impact:
Successful exploitation will result in information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application can result. Possible execution of arbitrary code of the attacker's choosing can result.

--
Detailed Information:
This event indicates that an attempt has been made to exploit a Cross Site Scripting vulnerability in an application running on a webserver.
Cross Site Scripting (XSS) occurs when a web application doesn't sanitize user-supplied input and places it directly into the page returned to the user. Usually the attacker will submit malicious JavaScript, VBScript, ActiveX, HTML, or Flash code to the vulnerable web site.

--
Affected Systems:
All systems that accept user input are potentially affected.

--
Attack Scenarios:
An attacker can supply a malicious link designed to steal information from a user clicking on that link.

--
Ease of Attack:
Vary from simple to medium.

--
False Positives:
Some applications send various script code to the web server as legitimate input.
Some free-text user input may match Cross Site Scripting signatures.

--
False Negatives:
None known.

--
Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
Utilize "Positive Security Model" by accepting only known types of input in web application.

--
Additional References:

The Cross Site Scripting (XSS) FAQ
http://www.cgisecurity.com/articles/xss-faq.shtml

Cross-site scripting
http://en.wikipedia.org/wiki/Cross_site_scripting

--


Attack Signatures Changelogs

Objective