Page tree
Skip to end of metadata
Go to start of metadata

Summary

This month, the DARC has released 20 filters:

  • 11 new filters were added to block specific attacks

  • 7 filters have been defined to provide accurate reporting regarding attacks which were already blocked by generic filters

  • 2 filters have been improved

This Blacklist is used for rWeb and R&S®Web Application Firewall (Blacklist engine).

Blacklist update files are available on https://my.denyall.com.

New filters

12584: D-Link DIR-300L/600L Remote Command Execution

The remote D-Link DIR router is affected by a remote command execution vulnerability. An unauthenticated remote attacker can use this vulnerability to execute operating system commands as root.

12586: System.ini leak

The remote server is vulnerable to an information leak that could allow a remote attacker to learn sensitive information.

12587: Grandstream Phone Web UI Information Disclosure

The remote Grandstream phone is affected by an information disclosure vulnerability in the web administration interface due to the failure to restrict access to sensitive configuration data. An unauthenticated, remote attacker can exploit this to disclose sensitive information related to the device, such as the admin password.

12588: Apache Hadoop YARN ResourceManager Unauthenticated RCE (Remote) (Xbash)

The Apache Hadoop YARN ResourceManager running on the remote host is allowing unauthenticated users to create and execute applications. An unauthenticated, remote attacker can exploit this, via a specially crafted HTTP request, to potentially execute arbitrary code, subject to the user privileges of the executing node.

12590: Remote Unauthenticated Command Execution though CGI

The remote NETGEAR DGN device is affected by a flaw in the setup.cgi script that allows an unauthenticated remote attacker to execute arbitrary commands with root privileges.

12592: Apache Struts 2 - Arbitrary Remote Command Execution

CVE: CVE-2016-3081, CVE-2017-9791, CVE-2017-9805, CVE-2018-11776

The remote web server contains a web application that uses a Java framework, which is affected by a remote command execution vulnerability.

12594: Western Digital MyCloud Unauthenticated File Upload

CVE: CVE-2017-17560

The remote WD MyCloud device is affected by a file upload vulnerability that allows a remote attacker to upload and execute files.

12596: Blueimp jQuery-File-Upload - Unauthenticated arbitrary file upload

CVE: CVE-2018-9206

Blueimp jQuery-File-Upload <= v9.22.0 is affected by a file upload vulnerability that allows a remote attacker to upload and execute files.

12597: MVPower DVR Remote Command Execution

AOST-based network video recorder distributed by MVPower is affected by a remote command execution vulnerability. An unauthenticated remote attacker can use this vulnerability to execute operating system commands as root.

12598: JavaScript String replace function

12600: AVTech Multiple Vulnerabilities through CGI - Unrestrictred download

The remote AVTech device is affected by multiple vulnerabilties through the CGI interface

Existing filters

12585: D-Link DIR 850L Router Local File Inclusion

The remote D-Link DIR router is affected by a local file inclusion vulnerability that allows an attacker to execute arbitrary PHP scripts.

12589: HP UCMDB Server BeanUtils Java Deserialization RCE

CVE: CVE-2017-14353

The HP Universal Configuration Management Database (UCMDB) Server running on the remote host is affected by a remote code execution vulnerability due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons BeanUtils library. An unauthenticated, remote attacker can exploit this, by sending a crafted POST request, to execute arbitrary code on the target host.

12591: NUUO NVR Web Interface RCE

The remote network video recorder doesn't properly sanitize some user input which can allow a remote unauthenticated user to execute commands as root.

12593: Trend Micro Control Manager GetPassword() SQLi

CVE: CVE-2018-3604

The Trend Micro Control Manager running on the remote host is affected by an SQLi vulnerability when processing an HTTP request due to the lack of proper validation of a user-supplied string before using it to construct SQL queries. An unauthenticated, remote attacker can exploit this issue, via a specially crafted HTTP request, to execute code under the context of the Network Service account.

12595: BuddyPress Plugin for WordPress < 2.9.2 Information Disclosure

The BuddyPress Plugin for WordPress running on the remote web server is prior to version 2.9.2. It is, therefore, affected by an information disclosure vulnerability. A remote, unauthenticated attacker can exploit this vulnerability, via a specially crafted request, to display private administrative group information.

12599: Belkin N750 Router 1.10.22 Command Injection

CVE: CVE-2018-1144

Belkin N750 Router 1.10.22 is affected by a remote command injection vulnerability.

12601: Apache .htaccess and .htpasswd Disclosure

The remote web server discloses information via HTTP request.

Improved filters

10340: Common SQL injection techniques

12486: Apache Struts2 class Parameter ClassLoader Manipulation

The ClassLoader (before 2.3.16.1) via the 'class' parameter is directly mapped to the getClass() method. A remote attacker can execute arbitrary Java code via crafted parameters.

12570: ManageEngine Firewall Analyzer Multiple XSS

ManageEngine Firewall Analyzer is affected by multiple cross-site scripting (XSS) vulnerabilities due to improper validation of user-supplied input. A remote attacker can exploit these vulnerabilities to execute arbitrary script code in a user's browser session.

Installation

rWeb

  1. Go to Security panel, BL & SL update,
  2. Upload the blacklist.xml file,
  3. To finish, restart your applications.

R&S®Web Application Firewall

The Blacklist can be updated via the backup system.

  1. Unzip the RS_Web_Application_Firewall_6.5_Blacklist_Update_2019-01-31.zip file
  2. Go to Management panel, Backups,
  3. Upload the backlist.backup file,
  4. Open the backup and restore the Static Blacklist,
  5. Go to Policies, Security and Blacklist Configurations,
  6. Modify each Blacklist Configuration and select the newest Static Blacklist,
  7. Save changes,
  8. To finish, select all modified Blacklist Configurations and Apply them.

  • No labels