SERVER-WEBAPP Red Hat CloudForms agent controller filename directory traversal attempt
This alert is triggered when detecting an attempt to exploit CVE-2013-2068 a directory traversal vulnerability in the Red Hat CloudForm agent controller. Red Hat CloudForms is a hybrid cloud management platform. This rule is particularly looking for signs of an attacker attempting to exploit the system by specifying a file path that navigates outside of the intended directory, potentially aiming to overwrite system files or place malicious scripts on the server.
ID Number
29297
Signature
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Red Hat CloudForms agent controller filename directory traversal attempt"; flow:to_server,established; content:"/agent/"; depth:7; fast_pattern; nocase; http_uri; content:"data="; nocase; http_uri; content:"filename="; nocase; http_uri; content:"../"; distance:0; http_uri; pcre:"/[?&]filename=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,62745; reference:cve,2013-2068; reference:url,rhn.redhat.com/errata/RHSA-2013-1206.html; classtype:attempted-admin; sid:29297; rev:3;)
MITRE ATT&CK Technique
-
Severity
High
Recommendations/Investigative actions
It is recommended to ensure that the Red Hat CloudForm is up-to-date with the latest security patches to mitigate known vulnerabilities. Inspect logs to determine if the attempted exploitation was successful. Look for signs of unauthorized reading/writing of files. If possible, block communication Attempts from external networks, or enable access from specific external devices only.