CVE-2024-2011
published 2024-06-11CVE-2024-2011: A heap-based buffer overflow vulnerability exists in the FOXMAN-UN/UNEM that if exploited will generally lead to a denial of service but can be used to execute…
PriorityP348critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.47%
37.1th percentile
A heap-based buffer overflow vulnerability exists in the FOXMAN-UN/UNEM that
if exploited will generally lead to a denial of service but can be used
to execute arbitrary code, which is usually outside the scope of a
program's implicit security policy
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hitachi_energy | foxman-un | — | — |
| hitachi_energy | foxman-un | — | — |
| hitachi_energy | foxman-un | — | — |
| hitachi_energy | foxman-un | — | — |
| hitachi_energy | unem | — | — |
| hitachi_energy | unem | — | — |
| hitachi_energy | unem | — | — |
| hitachi_energy | unem | — | — |
| hitachienergy | foxman-un | — | — |
| hitachienergy | foxman-un | — | — |
| hitachienergy | foxman-un | — | — |
| hitachienergy | foxman-un | — | — |
| hitachienergy | unem | — | — |
| hitachienergy | unem | — | — |
| hitachienergy | unem | — | — |
| hitachienergy | unem | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Hitachi Energy UNEM
cisa_ics·2025-01-30·CVSS 8.6
[HIGH] Hitachi Energy UNEM
ICS Advisory
##
Hitachi Energy UNEM
Release DateJanuary 30, 2025
Alert CodeICSA-25-030-01
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 10.0
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Hitachi Energy
- Equipment: UNEM
- Vulnerabilities: Authentication Bypass Using an Alternate Path or Channel, Argument Injection, Heap-based Buffer Overflow, Improper Certificate Validation, Use of Hard-coded Password, Improper Restriction of Excessive Authentication Attempts, Cleartext Storage of Sensitive Information, Incorrect User Management
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to cause a denial of service,
CISA ICS
Hitachi Energy FOXMAN-UN
cisa_ics·2025-01-14·CVSS 8.6
[HIGH] Hitachi Energy FOXMAN-UN
ICS Advisory
##
Hitachi Energy FOXMAN-UN
Release DateJanuary 14, 2025
Alert CodeICSA-25-014-01
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 10.0
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Hitachi Energy
- Equipment: FOXMAN-UN
- Vulnerabilities: Authentication Bypass Using an Alternate Path or Channel, Improper Neutralization of Argument Delimiters in a Command ('Argument Injection'), Heap-based Buffer Overflow, Incorrect User Management, Improper Certificate Validation, Improper Restriction of Excessive Authentication Attempts, Use of Hard-coded Password, Cleartext Storage of Sensitive Information
## 2. RISK EVALUATION
Successful exploitation of t
Red Hat
kernel: mptcp: init: protect sched with rcu_read_lock
vendor_redhat·2024-11-19·CVSS 5.5
CVE-2024-53047 [MEDIUM] CWE-667 kernel: mptcp: init: protect sched with rcu_read_lock
kernel: mptcp: init: protect sched with rcu_read_lock
In the Linux kernel, the following vulnerability has been resolved:
mptcp: init: protect sched with rcu_read_lock
Enabling CONFIG_PROVE_RCU_LIST with its dependence CONFIG_RCU_EXPERT
creates this splat when an MPTCP socket is created:
WARNING: suspicious RCU usage
6.12.0-rc2+ #11 Not tainted
net/mptcp/sched.c:44 RCU-list traversed in non-reader section!!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
no locks held by mptcp_connect/176.
stack backtrace:
CPU: 0 UID: 0 PID: 176 Comm: mptcp_connect Not tainted 6.12.0-rc2+ #11
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
Call Trace:
dump_stack_lvl (lib/dump_stack.c:123)
lockdep_rcu_suspicious (kernel/locking/lockdep.c:6822)
mptcp_sched_find (net/mp
Red Hat
kernel: USB: serial: mos7840: fix crash on resume
vendor_redhat·2024-08-07·CVSS 5.5
CVE-2024-42244 [MEDIUM] CWE-99 kernel: USB: serial: mos7840: fix crash on resume
kernel: USB: serial: mos7840: fix crash on resume
In the Linux kernel, the following vulnerability has been resolved:
USB: serial: mos7840: fix crash on resume
Since commit c49cfa917025 ("USB: serial: use generic method if no
alternative is provided in usb serial layer"), USB serial core calls the
generic resume implementation when the driver has not provided one.
This can trigger a crash on resume with mos7840 since support for
multiple read URBs was added back in 2011. Specifically, both port read
URBs are now submitted on resume for open ports, but the context pointer
of the second URB is left set to the core rather than mos7840 port
structure.
Fix this by implementing dedicated suspend and resume functions for
mos7840.
Tested with Delock 87414 USB 2.0 to 4x serial adapter.
[ johan: an
Cisco
Default Credentials Vulnerability in Cisco Network Registrar
vendor_cisco
CVE-2011-2024 Default Credentials Vulnerability in Cisco Network Registrar
CVE-2011-2024: Default Credentials Vulnerability in Cisco Network Registrar
Cisco Network Registrar Software Releases prior to 7.2 contain a default password for the administrative account. During the initial installation, users are not forced to change this password, allowing it to persist after the installation. An attacker who is aware of this vulnerability could authenticate with administrative privileges and arbitrarily change the configuration of Cisco Network Registrar. The upgrade to Software Release 7.2 is not free; however, a workaround is provided in this document that will prevent exploitation of the vulnerability. When performing an upgrade to Software Release 7.2, you must use the workaround to change the password of the administrative account. You will be prompted to enter a
GHSA
GHSA-xpj4-jm23-59w7: A heap-based buffer overflow vulnerability exists in the FOXMAN-UN/UNEM that
if exploited will generally lead to a denial of service but can be used
t
ghsa_unreviewed·2024-06-11
CVE-2024-2011 [HIGH] CWE-122 GHSA-xpj4-jm23-59w7: A heap-based buffer overflow vulnerability exists in the FOXMAN-UN/UNEM that
if exploited will generally lead to a denial of service but can be used
t
A heap-based buffer overflow vulnerability exists in the FOXMAN-UN/UNEM that
if exploited will generally lead to a denial of service but can be used
to execute arbitrary code, which is usually outside the scope of a
program's implicit security policy
Suricata
ET MALWARE Dooptroop CnC Beacon
suricata·2012-01-10
CVE-2011-3544 ET MALWARE Dooptroop CnC Beacon
ET MALWARE Dooptroop CnC Beacon
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dooptroop CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?num="; fast_pattern; content:"&rev="; distance:0; pcre:"/^\/[a-z]+\.php\?num=\d+&rev=/"; http.header_names; to_lowercase; content:!"|0d 0a|referer|0d 0a|"; reference:url,blog.eset.com/2012/03/17/drive-by-ftp-a-new-view-of-cve-2011-3544; classtype:command-and-control; sid:2014112; rev:7; metadata:attack_target Client_Endpoint, created_at 2012_01_10, deployment Perimeter, signature_severity Major, tag c2, updated_at 2024_04_20, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
Suricata
ET WEB_SERVER ASP.NET Forms Authentication Bypass
suricata·2012-01-03
CVE-2011-3416 ET WEB_SERVER ASP.NET Forms Authentication Bypass
ET WEB_SERVER ASP.NET Forms Authentication Bypass
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ASP.NET Forms Authentication Bypass"; flow:established,to_server; http.uri; content:"/CreatingUserAccounts.aspx"; fast_pattern; http.request_body; content:"CreateUserStepContainer"; content:"UserName="; distance:0; content:"%00"; distance:0; pcre:"/UserName\x3d[^\x26]+\x2500/"; reference:cve,2011-3416; classtype:attempted-user; sid:2014100; rev:7; metadata:created_at 2012_01_03, cve CVE_2011_3416, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Pub
Suricata
ET WEB_SERVER JBoss jmx-console Access Control Bypass Attempt
suricata·2011-12-10
CVE-2010-0738 ET WEB_SERVER JBoss jmx-console Access Control Bypass Attempt
ET WEB_SERVER JBoss jmx-console Access Control Bypass Attempt
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER JBoss jmx-console Access Control Bypass Attempt"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:"/jmx-console/HtmlAdaptor?"; nocase; content:"Runtime.getRuntime().exec("; reference:cve,2010-0738; classtype:web-application-activity; sid:2014018; rev:4; metadata:created_at 2011_12_10, cve CVE_2010_0738, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_06;)
Suricata
ET WEB_SERVER JBoss jmx-console Probe
suricata·2011-12-10
CVE-2010-0738 ET WEB_SERVER JBoss jmx-console Probe
ET WEB_SERVER JBoss jmx-console Probe
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER JBoss jmx-console Probe"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:"/jmx-console/HtmlAdaptor?"; nocase; reference:cve,2010-0738; classtype:web-application-activity; sid:2014017; rev:4; metadata:created_at 2011_12_10, cve CVE_2010_0738, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_06;)
Suricata
ET MALWARE Backdoor.Win32.Sykipot Checkin
suricata·2011-12-09
CVE-2011-2462 ET MALWARE Backdoor.Win32.Sykipot Checkin
ET MALWARE Backdoor.Win32.Sykipot Checkin
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Sykipot Checkin"; flow:established,to_server; http.uri; content:"allow_get.asp?name="; fast_pattern; content:"&hostname="; distance:0; http.header_names; to_lowercase; content:!"|0d 0a|referer|0d 0a|"; reference:cve,2011-2462; reference:url,blog.9bplus.com/analyzing-cve-2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; classtype:command-and-control; sid:2014006; rev:6; metadata:created_at 2011_12_09, cve CVE_2011_2462, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_27;)
Suricata
ET MALWARE Backdoor.Win32.Sykipot Put
suricata·2011-12-09
CVE-2011-2462 ET MALWARE Backdoor.Win32.Sykipot Put
ET MALWARE Backdoor.Win32.Sykipot Put
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Sykipot Put"; flow:established,to_server; http.uri; content:"/kys_allow_put.asp?type="; content:"&hostname="; reference:cve,2011-2462; reference:url,blog.9bplus.com/analyzing-cve-2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; classtype:trojan-activity; sid:2014007; rev:4; metadata:created_at 2011_12_09, cve CVE_2011_2462, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_06;)
Suricata
ET WEB_CLIENT PDF With Embedded U3D
suricata·2011-12-08
CVE-2018-4989 ET WEB_CLIENT PDF With Embedded U3D
ET WEB_CLIENT PDF With Embedded U3D
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Embedded U3D"; flow:established,to_client; file.data; content:"obj"; content:"<<"; within:4; content:"/U3D"; fast_pattern; within:64; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; reference:cve,2018-4989; reference:cve,2018-4987; classtype:bad-unknown; sid:2013995; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_12_08, cve CVE_2018_4989, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_04_08;)
Suricata
ET SCADA Rockwell RNA Message Large Header Length - 8Kb
suricata·2011-09-30
ET SCADA Rockwell RNA Message Large Header Length - 8Kb
ET SCADA Rockwell RNA Message Large Header Length - 8Kb
Rule: alert tcp any !443 -> $HOME_NET [1330,1331,1332,4241,4242,4445,4446,5241,6543,9111,60093,49281] (msg:"ET SCADA Rockwell RNA Message Large Header Length - 8Kb"; flow:established,to_server; content:"rna|f2|"; startswith; fast_pattern; byte_test:4,>,0x2000,0,relative,little; classtype:attempted-dos; sid:2049795; rev:5; metadata:attack_target ICS, created_at 2011_09_30, cve CVE_2011_3489, deployment Internal, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_12_27, reviewed_at 2024_03_06, former_sid 2803783; target:dest_ip;)
Suricata
ET WEB_CLIENT Adobe Flash Player Button Remote Code Execution Attempt
suricata·2011-07-15
CVE-2010-3654 ET WEB_CLIENT Adobe Flash Player Button Remote Code Execution Attempt
ET WEB_CLIENT Adobe Flash Player Button Remote Code Execution Attempt
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Button Remote Code Execution Attempt"; flow:established,to_client; flowbits:isset,ET.flash.pdf; file.data; content:"|07 07 02 17 07 06 1A 07 1B 1B 07 02 1C 07 07 1E|"; reference:bid,44504; reference:cve,2010-3654; classtype:attempted-user; sid:2013282; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_15, cve CVE_2010_3654, deployment Perimeter, confidence High, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_04_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Pu
Suricata
ET WEB_CLIENT Adobe Authplay.dll NewClass Memory Corruption Attempt
suricata·2011-07-15
CVE-2010-1297 ET WEB_CLIENT Adobe Authplay.dll NewClass Memory Corruption Attempt
ET WEB_CLIENT Adobe Authplay.dll NewClass Memory Corruption Attempt
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Authplay.dll NewClass Memory Corruption Attempt"; flow:established,to_client; flowbits:isset,ET.flash.pdf; file.data; content:"|D2 60 38 40 BA 03 14 0E|"; reference:url,www.exploit-db.com/adobe-acrobat-newclass-invalid-pointer-vulnerability/; reference:bid,40586; reference:cve,2010-1297; classtype:attempted-user; sid:2013281; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_15, cve CVE_2010_1297, deployment Perimeter, confidence Medium, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_04_09;)
Suricata
ET WEB_CLIENT Adobe Acrobat Reader FlateDecode Stream Predictor Exploit Attempt
suricata·2011-07-01
CVE-2009-3459 ET WEB_CLIENT Adobe Acrobat Reader FlateDecode Stream Predictor Exploit Attempt
ET WEB_CLIENT Adobe Acrobat Reader FlateDecode Stream Predictor Exploit Attempt
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat Reader FlateDecode Stream Predictor Exploit Attempt"; flow:established,to_client; file.data; content:"Colors 1073741838"; fast_pattern; pcre:"/]*\x2FPredictor[^>]*\x2FColors\x201073741838/smi"; reference:url,www.fortiguard.com/analysis/pdfanalysis.html; reference:bid,36600; reference:cve,2009-3459; classtype:attempted-user; sid:2013153; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_01, cve CVE_2009_3459, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_04_09;)
Suricata
ET WEB_CLIENT Adobe Acrobat Util.printf Buffer Overflow Attempt
suricata·2011-07-01
CVE-2008-2992 ET WEB_CLIENT Adobe Acrobat Util.printf Buffer Overflow Attempt
ET WEB_CLIENT Adobe Acrobat Util.printf Buffer Overflow Attempt
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat Util.printf Buffer Overflow Attempt"; flow:established,to_client; file.data; content:"util.printf|28 22 25|"; nocase; fast_pattern; pcre:"/util.printf\x28\x22\x25[^\x2C\x29]*f\x22\x2C/i"; reference:url,www.coresecurity.com/content/adobe-reader-buffer-overflow; reference:bid,30035; reference:cve,2008-2992; classtype:attempted-user; sid:2013152; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_01, cve CVE_2008_2992, deployment Perimeter, confidence High, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_04_09;)
Suricata
ET WEB_SERVER PHP Possible php Remote File Inclusion Attempt
suricata·2011-06-10
CVE-2002-0953 ET WEB_SERVER PHP Possible php Remote File Inclusion Attempt
ET WEB_SERVER PHP Possible php Remote File Inclusion Attempt
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=php|3a|//"; reference:cve,2002-0953; reference:cve,2024-4577; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013001; rev:5; metadata:created_at 2011_06_10, cve CVE_2002_0953, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_04_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
Suricata
ET WEB_SPECIFIC_APPS Possible Oracle GlassFish Server Administration Console Authentication Bypass Attempt
suricata·2011-06-09
CVE-2011-1511 ET WEB_SPECIFIC_APPS Possible Oracle GlassFish Server Administration Console Authentication Bypass Attempt
ET WEB_SPECIFIC_APPS Possible Oracle GlassFish Server Administration Console Authentication Bypass Attempt
Rule: alert http $EXTERNAL_NET any -> $HOME_NET 4848 (msg:"ET WEB_SPECIFIC_APPS Possible Oracle GlassFish Server Administration Console Authentication Bypass Attempt"; flow:established,to_server; http.method; content:"TRACE"; http.uri; content:".jsf"; nocase; reference:url,www.coresecurity.com/content/oracle-glassfish-server-administration-console-authentication-bypass; reference:bid,47818; reference:cve,2011-1511; classtype:attempted-recon; sid:2012977; rev:5; metadata:created_at 2011_06_09, cve CVE_2011_1511, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_te
Suricata
ET ACTIVEX Cisco AnyConnect VPN Secure Mobility Client Cisco.AnyConnect.VPNWeb.1 Arbitrary Program Execution Attempt
suricata·2011-06-03
CVE-2011-2039 ET ACTIVEX Cisco AnyConnect VPN Secure Mobility Client Cisco.AnyConnect.VPNWeb.1 Arbitrary Program Execution Attempt
ET ACTIVEX Cisco AnyConnect VPN Secure Mobility Client Cisco.AnyConnect.VPNWeb.1 Arbitrary Program Execution Attempt
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Cisco AnyConnect VPN Secure Mobility Client Cisco.AnyConnect.VPNWeb.1 Arbitrary Program Execution Attempt"; flow:established,to_client; file.data; content:"ActiveXObject"; nocase; content:"Cisco.AnyConnect.VPNWeb.1"; fast_pattern; nocase; distance:0; content:"url"; nocase; distance:0; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=909; reference:bid,48081; reference:cve,2011-2039; reference:cve,2011-2040; classtype:attempted-user; sid:2012930; rev:5; metadata:created_at 2011_06_03, cve CVE_2011_2039, confidence Medium, signature_severity Unknown, updated_at 2024_04_09;)
Suricata
ET WEB_SERVER Apache APR apr_fnmatch Stack Overflow Denial of Service
suricata·2011-06-02
CVE-2011-0419 ET WEB_SERVER Apache APR apr_fnmatch Stack Overflow Denial of Service
ET WEB_SERVER Apache APR apr_fnmatch Stack Overflow Denial of Service
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Apache APR apr_fnmatch Stack Overflow Denial of Service"; flow:established,to_server; urilen:>1400; http.uri; content:"|2F 3F|P|3D 2A 3F 2A 3F 2A 3F 2A 3F 2A 3F|"; pcre:"/(?:\x2a\x3f){700}/"; reference:cve,2011-0419; reference:url,cxib.net/stuff/apr_fnmatch.txt; reference:url,bugzilla.redhat.com/show_bug.cgi?id=703390; classtype:attempted-dos; sid:2012926; rev:5; metadata:created_at 2011_06_02, cve CVE_2011_0419, confidence Medium, signature_severity Major, updated_at 2024_03_06;)
Suricata
ET REMOTE_ACCESS MS Terminal Server Root login
suricata·2011-04-22
CVE-2001-0540 ET REMOTE_ACCESS MS Terminal Server Root login
ET REMOTE_ACCESS MS Terminal Server Root login
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET REMOTE_ACCESS MS Terminal Server Root login"; flow:established,to_server; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=root|0d 0a|"; nocase; reference:cve,2001-0540; classtype:protocol-command-decode; sid:2012710; rev:2; metadata:created_at 2011_04_22, cve CVE_2001_0540, former_category INFO, confidence Medium, signature_severity Unknown, updated_at 2024_06_27;)
Suricata
ET REMOTE_ACCESS MS Remote Desktop Administrator Login Request
suricata·2011-04-22
ET REMOTE_ACCESS MS Remote Desktop Administrator Login Request
ET REMOTE_ACCESS MS Remote Desktop Administrator Login Request
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET REMOTE_ACCESS MS Remote Desktop Administrator Login Request"; flow:established,to_server; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=admin"; distance:0; nocase; reference:cve,CAN-2001-0540; classtype:protocol-command-decode; sid:2012709; rev:6; metadata:created_at 2011_04_22, former_category INFO, confidence Medium, signature_severity Unknown, updated_at 2024_06_27;)
Suricata
ET INFO MS Remote Desktop Service User Login Request
suricata·2011-04-22
ET INFO MS Remote Desktop Service User Login Request
ET INFO MS Remote Desktop Service User Login Request
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET INFO MS Remote Desktop Service User Login Request"; flow:established,to_server; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=service|0d 0a|"; nocase; reference:cve,CAN-2001-0540; classtype:protocol-command-decode; sid:2012712; rev:2; metadata:created_at 2011_04_22, confidence High, signature_severity Informational, updated_at 2024_03_06;)
Suricata
ET INFO MS Remote Desktop POS User Login Request
suricata·2011-04-22
CVE-2001-0540 ET INFO MS Remote Desktop POS User Login Request
ET INFO MS Remote Desktop POS User Login Request
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET INFO MS Remote Desktop POS User Login Request"; flow:established,to_server; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=pos|0d 0a|"; nocase; reference:cve,2001-0540; classtype:protocol-command-decode; sid:2012711; rev:2; metadata:created_at 2011_04_22, cve CVE_2001_0540, confidence High, signature_severity Informational, updated_at 2024_03_06;)
Suricata
ET MALWARE Dooptroop Dropper Checkin
suricata·2011-04-07
CVE-2011-3544 ET MALWARE Dooptroop Dropper Checkin
ET MALWARE Dooptroop Dropper Checkin
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dooptroop Dropper Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nconfirm.php?"; fast_pattern; content:"rev="; distance:0; content:"code="; content:"param="; content:"num="; http.header_names; to_lowercase; content:!"|0d 0a|referer|0d 0a|"; reference:url,blog.eset.com/2012/03/17/drive-by-ftp-a-new-view-of-cve-2011-3544; classtype:command-and-control; sid:2013808; rev:6; metadata:created_at 2011_04_07, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_20;)
Suricata
ET ACTIVEX Oracle Document Capture File Overwrite or Buffer Overflow Attempt
suricata·2011-01-27
CVE-2010-3599 ET ACTIVEX Oracle Document Capture File Overwrite or Buffer Overflow Attempt
ET ACTIVEX Oracle Document Capture File Overwrite or Buffer Overflow Attempt
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Oracle Document Capture File Overwrite or Buffer Overflow Attempt"; flow:established,to_client; file.data; content:"ActiveXObject"; nocase; content:"NCSECWLib.NCSRenderer"; fast_pattern; nocase; distance:0; content:"WriteJPG"; nocase; distance:0; reference:cve,2010-3599; classtype:attempted-user; sid:2012234; rev:6; metadata:created_at 2011_01_27, cve CVE_2010_3599, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_09;)
No public exploits indexed.
No writeups or analysis indexed.
https://publisher.hitachienergy.com/preview?DocumentId=8DBD000194&languageCode=en&Preview=truehttps://publisher.hitachienergy.com/preview?DocumentId=8DBD000201&languageCode=en&Preview=truehttps://publisher.hitachienergy.com/preview?DocumentId=8DBD000194&languageCode=en&Preview=truehttps://publisher.hitachienergy.com/preview?DocumentId=8DBD000201&languageCode=en&Preview=true
2024-06-11
Published