Sigma
Sigma rules for CVE-2021-20090
1 rules · scoped to cve · back to CVE-2021-20090
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
◈
Detection rules
1 of 1
direct
critical
Arcadyan Router Exploitations
Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.
view Sigma YAML
title: Arcadyan Router Exploitations
id: f0500377-bc70-425d-ac8c-e956cd906871
status: test
description: Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.
references:
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
- https://www.tenable.com/security/research/tra-2021-13
- https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild
author: Bhabesh Raj
date: 2021-08-24
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
- cve.2021-20090
- cve.2021-20091
- detection.emerging-threats
logsource:
category: webserver
detection:
path_traversal:
# CVE-2021-20090 (Bypass Auth: Path Traversal)
cs-uri-query|contains: '..%2f'
config_file_inj:
cs-uri-query|contains|all:
# Chaining of CVE-2021-20090 (Bypass Auth) and CVE-2021-20091 (Config File Injection)
- '..%2f'
- 'apply_abstract.cgi'
noauth_list:
cs-uri-query|contains:
- '/images/'
- '/js/'
- '/css/'
- '/setup_top_login.htm'
- '/login.html'
- '/loginerror.html'
- '/loginexclude.html'
- '/loginlock.html'
condition: (path_traversal or config_file_inj) and noauth_list
falsepositives:
- Unknown
level: critical
Showing 1-1 of 1