SERVER-WEBAPP EMC Connectrix Manager FileUploadController directory traversal attempt
This alert is triggered when detecting an attempt to exploit CVE-2013-6810 a directory traversal vulnerability in EMC Connectrix Manager. EMC Connectrix Manager is an application used to manage storage infrastructure. This rule is particularly looking for signs of an attacker attempting to exploit the system by specifying a file path that navigates outside of the intended directory, potentially aiming to overwrite system files or place malicious scripts on the server.
ID Number
29390
Signature
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP EMC Connectrix Manager FileUploadController directory traversal attempt"; flow:to_server,established; content:"/HttpFileUpload/FileUploadController.do"; fast_pattern:only; http_uri; content:"driverFolderName|3A|"; nocase; http_header; pcre:"/^driverFolderName\x3a[^\r\n]*?\x2e\x2e[\x2f\x5c]/Hmi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,64242; reference:cve,2013-6810; classtype:attempted-admin; sid:29390; rev:6;)
MITRE ATT&CK Technique
-
Severity
High
Recommendations/Investigative actions
It is recommended to ensure that the EMC Connectrix Manager is up-to-date with the latest security patches to mitigate known vulnerabilities. Inspect logs to determine if the attempted exploitation was successful. Look for signs of unauthorized reading/writing of files. If possible, block communication Attempts from external networks, or enable access from specific external devices only.