Skip to main content

Trellix: Intrusion Prevention System (IPS) Emergency User Defined Signature (UDS) Release Bulletin - UDS for Multiple Vulnerabilities

Updated

UDS for Multiple Vulnerabilities

Attacks Covered

  • Attack Name = UDS-HTTP: Zabbix Server Audit Log SQL Injection Vulnerability (CVE-2024-22120)
    CVE = CVE-2024-22120
     
  • Attack Name = UDS-PKTSEARCH: Veeam Backup and Replication Deserialization Vulnerability (CVE-2024-40711)
    CVE = CVE-2024-40711
     
  • Attack Name = UDS-HTTP: WordPress Plugin Wux Blog Editor Arbitrary File Upload Vulnerability (CVE-2024-9932)
    CVE = CVE-2024-9932
     
  • Attack Name = UDS-HTTP: Tenda AC6 Stack Buffer Overflow Vulnerability (CVE-2024-10698)
    CVE = CVE-2024-10698
     
  • Attack Name = UDS-HTTP: Tenda AC6 Command Injection Vulnerability (CVE-2024-10697)
    CVE = CVE-2024-10697
     
  • Attack Name = UDS-PKTSEARCH: Tenda AC1206 Stack Buffer Overflow Vulnerability (CVE-2024-10434)
    CVE = CVE-2024-10434
     
  • Attack Name = UDS-HTTP: WordPress Plugin LUBUS Remote Code Execution Vulnerability (CVE-2024-50498)
    CVE = CVE-2024-50498
     
  • Attack Name = UDS-HTTP: PTZOptics OS Command Injection Vulnerability (CVE-2024-8957)
    CVE = CVE-2024-8957
     
  • Attack Name = UDS-HTTP: PTZOptics Information Disclosure Vulnerability (CVE-2024-8956)
    CVE = CVE-2024-8956
     
  • Attack Name = UDS-HTTP: WordPress Plugin Meetup Authorization Bypass Vulnerability (CVE-2024-50483)
    CVE = CVE-2024-50483
     
  • Attack Name = UDS-HTTP: Apache Server Mod_rewrite Improper Encoding and Escaping of Output Vulnerability
    CVE = CVE-2024-38472, CVE-2024-39573, CVE-2024-38477, CVE-2024-38476, CVE-2024-38475, CVE-2024-38474, CVE-2024-38473, CVE-2023-38709
     
  • Attack Name = UDS-HTTP: Cloudlog Unauthenticated SQL Injection Vulnerability (CVE-2024-45999)
    CVE = CVE-2024-45999
     
  • Attack Name = UDS-HTTP: TOTOlink AC1200 setWizardCfg Buffer Overflow Vulnerability (CVE-2024-46419)
    CVE = CVE-2024-46419
     
  • Attack Name = UDS-HTTP: GitLab Ruby-SAML Authentication Bypass Vulnerability (CVE-2024-45409)
    CVE = CVE-2024-45409
     
  • Attack Name = UDS-HTTP: TOTOLink EX1200L setLanguageCfg Buffer Overflow Vulnerability (CVE-2024-7909)
    CVE = CVE-2024-7909
     
  • Attack Name = UDS-HTTP: Telerik Report Server Authentication Bypass Vulnerability (CVE-2024-4358)
    CVE = CVE-2024-4358
     
  • Attack Name = UDS-HTTP: OpenMetadata Remote Code Execution Vulnerability (CVE-2024-28254)
    CVE = CVE-2024-28254
     
  • Attack Name = UDS-HTTP: Palo Alto Networks Authentication Bypass Vulnerability (CVE-2024-0012)
    CVE = CVE-2024-0012
     
  • Attack Name = UDS-HTTP: Palo Alto Networks PAN-OS Privilege Escalation Vulnerability (CVE-2024-9474)
    CVE = CVE-2024-9474


A Trellix IPS Emergency UDS has been created to detect these threats.

Environment

Trellix Intrusion Prevention System (Trellix IPS)

Summary

User-Defined Signatures (UDSs) are provided as an immediate solution to a security advisory. We write and test these signatures with the objective of a quick turnaround.
A UDS is intended to cover the known aspects of a threat and might not cover all variants. Sometimes, UDS releases might generate incorrect identification.

To download a UDS, perform the steps below:

  1. Click the link to the Knowledge Base article for the UDS that you need to download.
     
    UDSs
    Release Date Threat Article
    December 17, 2024 UDS-HTTP: Apache Struts file upload vulnerability (CVE-2024-53677) Release Notes
    December 2, 2024 UDS-HTTP: WordPress Plugin PegaPoll privilege escalation vulnerability (CVE-2024-50490) Release Notes
    November 22, 2024 UDS for multiple vulnerabilities Release Notes
    November 5, 2024 UDS for multiple vulnerabilities Release Notes

  2. Download the .zip file attached to the article, which contains the UDS.

    Note: The .zip file is named using the format UDS <date of release>.zip.
    For example, UDS-11042020.zip was released on November 4, 2020.

  3. Extract the downloaded .zip file.
    The .zip file extracts into Emergency_UDS_xxx.zip.

To import the UDS to the Manager, perform the steps below:

  1. Log on to the Manager.
  2. Click Policy > Intrusion Prevention > Policy Types.
    • For Manager 9.x, click IPS Policies.
    • For Manager 10.x and later, including 11.x, click IPS
  3. Click the Custom Attacks link at the bottom of the left pane.
  4. Click Other Actions and Import.
  5. Click Browse and select the Emergency_UDS_xxx.zip file. 
  6. Deselect the following:
    • Import Snort Rules
    • Import Snort Macros
    • Import Snort Classifications 
  7. Click Import.
  8. Verify that the number of UDSs that are successfully imported is not zero (1 or greater).

Push the UDS from the Manager to the Sensors:

The imported UDS is not pushed to the Sensor until you perform an update. You can roll out the update using either of the following methods: 

To apply the UDS to each Sensor one by one:
  1. Open the Manager.
  2. Navigate to Devices.
  3. From the left navigation pane, select the Devices tab.
  4. From the drop-down list, select the Sensor that you want to push the update to.
  5. Click Deploy Pending Changes. The option must already be selected.
  6. To start updating the Sensor, click Update/Deploy.
To apply the UDS to all Sensors:
  1. Open the Manager.
  2. Navigate to Devices.
  3. From the left navigation pane, select the Global tab.
  4. Click Deploy Pending Changes. Each Sensor requiring an update must be selected.
  5. To start updating the Sensors, click Update/Deploy.

Related information

References to product versions that have reached End of Life have been removed from this article. We strongly recommend that you upgrade to a supported version.

For details on supported and End-of-Life (EOL) products, see Trellix Product End-of-Life Information.

 

Powered by Zendesk