SERVER-WEBAPP Cisco Prime Data Center Network Manager processImageSave.jsp directory traversal attempt
This alert is triggered when detecting an attempt to exploit CVE-2013-5486 a directory traversal vulnerability in Cisco Prime Data Center Network Manager (DCNM) The Cisco Prime DCNM is a management solution for data centers. This rule is particularly looking for requests aimed to manipulate the 'chartid' parameter to gain unauthorized access to files and directories outside the intended path.
ID Number
29042
Signature
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Prime Data Center Network Manager processImageSave.jsp directory traversal attempt"; flow:to_server,established; content:"/cues_utility/charts/processImageSave.jsp"; fast_pattern:only; http_uri; content:"chartid="; nocase; http_uri; content:"../"; distance:0; nocase; http_uri; pcre:"/[?&]chartid=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,62484; reference:cve,2013-5486; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130918-dcnm; classtype:attempted-admin; sid:29042; rev:6;)
MITRE ATT&CK Technique
-
Severity
High
Recommendations/Investigative actions
It is recommended to ensure that the Cisco Prime DCNM is up-to-date with the latest security patches to mitigate known vulnerabilities. Inspect logs to determine if the attempted exploitation was successful. Look for signs of unauthorized access. If possible, block communication Attempts from external networks, or enable access from specific external devices only.