False positive - Cisco HyperFlex HX Remote Command Execution - ID: 91836

Adrian_Jensen — Tue, 26 Oct 2021 18:04:15 GMT

Beginning this morning we are seeing lots of apparent false positives for threat ID: 91836 - Cisco HyperFlex HX RCE, which was added to the threat database last night. The destination server is in Wells Fargo IP space and we have determined that this is users trying to log into Wells Fargo online banking at:

https://connect.secure.wellsfargo.com/auth/login/present?

This appears to be happening either on redirect of the initial user/pass login POST or a subsequent MFA page, and the users are getting a generic login error response do to the PA threat detection resetting the connection. I do not have a Wells Fargo account to fully test and full packet capture is going to be tricky as these are users' personal accounts.

Is anyone else seeing this threat detection and can confirm the destination, offer additional debugging?

Re: False positive - Cisco HyperFlex HX Remote Command Execution - ID: 91836

vasinghal — Tue, 26 Oct 2021 21:01:31 GMT

Should be fixed soon.

Re: False positive - Cisco HyperFlex HX Remote Command Execution - ID: 91836

Adrian_Jensen — Thu, 28 Oct 2021 02:34:47 GMT

It appears that this has been fixed in the App-Threat-8478-7015 release. We were unable to replicate the problem today (prior release -8477-7011 was flagging).

topic Re: False positive - Cisco HyperFlex HX Remote Command Execution - ID: 91836 in Advanced Threat Prevention Discussions

False positive - Cisco HyperFlex HX Remote Command Execution - ID: 91836

Re: False positive - Cisco HyperFlex HX Remote Command Execution - ID: 91836

Re: False positive - Cisco HyperFlex HX Remote Command Execution - ID: 91836