SERVER-WEBAPP HP Intelligent Management Center BIMS UploadServlet arbitrary file upload attempt
This alert is triggered when an adversary is attempting to exploit CVE-2013-4822 a file upload vulnerability in the HP Intelligent Management Center (IMC) BIMS UploadServlet. HP Intelligent Management Center (IMC) is an integrated management platform for IT networks. The rule checks for a specific pattern indicating malicious file upload activity. Legitimate uploads to HP IMC shouldn't be attempting to traverse directories or upload JSP files in this manner.
ID Number
28407
Signature
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Intelligent Management Center BIMS UploadServlet arbitrary file upload attempt"; flow:to_server,established; content:"PUT"; http_method; content:"/upload/upload?"; fast_pattern:only; http_uri; content:"fileName="; nocase; http_uri; pcre:"/[?&]fileName=[^&]*?(\x2e\x2e\x2f|\x2ejsp)/Ui"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,62895; reference:cve,2013-4822; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03943425; classtype:attempted-admin; sid:28407; rev:6;)
MITRE ATT&CK Technique
-
Severity
High
Recommendations/Investigative actions
It is recommended to ensure that the HP Intelligent Management Center (IMC) is up-to-date with the latest security patches to mitigate known vulnerabilities. Inspect logs to determine if the attempted exploitation was successful. Look for signs of malicious files or execution of arbitrary code. If possible, block communication Attempts from external networks, or enable access from specific external devices only.