SERVER-WEBAPP Cisco Prime Data Center Network Manager FileUploadServlet arbitrary file upload attempt
This alert is triggered when detecting an attempt to exploit CVE-2013-5486 a directory traversal vulnerability in Cisco Prime Data Center Network Manager (DCNM). The Cisco Prime DCNM is a management solution for data centers. This rule is particularly looking for signs of an attacker trying to manipulate the fileUpload URI and upload files to unintended directories, potentially aiming to overwrite system files or place malicious scripts on the server.
ID Number
29142
Signature
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Prime Data Center Network Manager FileUploadServlet arbitrary file upload attempt"; flow:to_server,established; content:"/fileUpload"; depth:11; nocase; http_uri; content:"multipart/form-data"; http_header; content:"file_system"; fast_pattern:only; http_client_body; content:"uploadDir"; nocase; http_client_body; pcre:"/name\s*?=\s*?[\x22\x27]?uploadDir[^\x3b]+?(?:(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)|C(\x3a|%3a)(\x5c|%5c))/Pi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,62484; reference:cve,2013-5486; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130918-dcnm; classtype:attempted-admin; sid:29142; rev:6;)
MITRE ATT&CK Technique
-
Severity
High
Recommendations/Investigative actions
It is recommended to ensure that the Cisco Prime DCNM is up-to-date with the latest security patches to mitigate known vulnerabilities. Inspect logs to determine if the attempted exploitation was successful. Look for signs of unauthorized or suspicious files that may have been uploaded. If possible, block communication Attempts from external networks, or enable access from specific external devices only.