False positive - Cisco HyperFlex HX Remote Command Execution - ID: 91836

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

False positive - Cisco HyperFlex HX Remote Command Execution - ID: 91836

L4 Transporter

Beginning this morning we are seeing lots of apparent false positives for threat ID: 91836 - Cisco HyperFlex HX RCE, which was added to the threat database last night. The destination server is in Wells Fargo IP space and we have determined that this is users trying to log into Wells Fargo online banking at:

https://connect.secure.wellsfargo.com/auth/login/present?

 

This appears to be happening either on redirect of the initial user/pass login POST or a subsequent MFA page, and the users are getting a generic login error response do to the PA threat detection resetting the connection. I do not have a Wells Fargo account to fully test and full packet capture is going to be tricky as these are users' personal accounts.

 

Is anyone else seeing this threat detection and can confirm the destination, offer additional debugging?

2 REPLIES 2

L0 Member

Should be fixed soon. 

L4 Transporter

It appears that this has been fixed in the App-Threat-8478-7015 release. We were unable to replicate the problem today (prior release -8477-7011 was flagging).

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!