Summary
Digital Vaccine #9000 September 19, 2017
Details
| Thank you for subscribing to Digital Vaccine updates brought to you by Trend Micro™ TippingPoint DVLabs. New content is now available at the Threat Management Center (TMC): https://tmc.tippingpoint.com SMS customers can update the Digital Vaccine through the SMS client. From the top line menu, you can open the "File > Download Digital Vaccine from TMC" menu item to detect and load the latest update. |
| System Requirements |
| The 2.5.2 DV will run on IPS devices with TOS v2.5.2 to TOS v3.1.x. The 3.2.0 DV will run on IPS devices with TOS v3.2.0 and above, all NGFW and all TPS systems. The 4.0.0 DV will only run on the Virtual Threat Protection System (vTPS) appliance. Please note that vTPS does not currently support pre-disclosed ZDI filters. |
| Adobe Security Bulletins This DV includes coverage for the Adobe vulnerabilities released on or before September 12, 2017. The following table maps TippingPoint filters to the Adobe CVEs. | |||
| Bulletin # | CVE # | TippingPoint Filter # | Status |
| APSB17-28 | CVE-2017-11281 | 29632 | |
| APSB17-28 | CVE-2017-11282 | 29603 | |
| Filters marked with * shipped prior to this DV, providing zero-day protection. | |||
Update Details
Table of Contents
--------------------------
Filters
New Filters
Modified Filters (logic changes)
Modified Filters (metadata changes only)
Removed Filters
Filters
----------------
New Filters:
28904: IMAP: IBM Domino IMAP Mailbox Name Buffer Overflow Vulnerability
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Vulnerabilities
- Severity: Critical
- Description: This filter detects an attempt to exploit a buffer overflow vulnerability in IBM Domino.
- Deployments:
- Deployment: Security-Optimized (Block / Notify)
- References:
- Bugtraq ID: 97910, 98019
- Common Vulnerabilities and Exposures: CVE-2017-1274 CVSS 6.5
29547: DHCP: FreeRADIUS fr_dhcp_attr2vp Integer Underflow Out-of-Bounds Read Vulnerability
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Vulnerabilities
- Severity: High
- Description: This filter detects an attempt to exploit an out-of-bounds read vulnerability in FreeRADIUS.
- Deployments:
- Deployment: Security-Optimized (Block / Notify)
- References:
- Bugtraq ID: 99971
- Common Vulnerabilities and Exposures: CVE-2017-10986 CVSS 5.0
29548: RADIUS: FreeRADIUS rad_coalesce Out-of-Bounds Read Vulnerability
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Vulnerabilities
- Severity: High
- Description: This filter detects an attempt to exploit an out-of-bounds read vulnerability in FreeRADIUS.
- Deployments:
- Deployment: Security-Optimized (Block / Notify)
- References:
- Bugtraq ID: 99901
- Common Vulnerabilities and Exposures: CVE-2017-10979 CVSS 7.5
29549: RADIUS: FreeRADIUS data2vp_wimax Buffer Overflow Vulnerability
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Vulnerabilities
- Severity: Critical
- Description: This filter detects an attempt to exploit a buffer overflow vulnerability in FreeRADIUS.
- Deployment: Not enabled by default in any deployment.
- References:
- Bugtraq ID: 99876
- Common Vulnerabilities and Exposures: CVE-2017-10984 CVSS 7.5
29551: HTTP: E-XD++ Visualization Suite UCCVIEWER Vulnerable ActiveX Instantiation (ZDI-17-420)
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Security Policy
- Severity: Moderate
- Description: This filter detects an attempt to instantiate a vulnerable ActiveX control in E-XD++ Visualization Enterprise Suite.
- Deployment: Not enabled by default in any deployment.
- References:
- Zero Day Initiative: ZDI-17-420
29554: HTTP: E-XD++ Visualization Enterprise Suite UCCDRAW Vulnerable Activex Instantiation (ZDI-17-421)
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Security Policy
- Severity: Moderate
- Description: This filter detects an attempt to instantiate a vulnerable ActiveX control in E-XD++ Visualization Enterprise Suite.
- Deployment: Not enabled by default in any deployment.
- References:
- Zero Day Initiative: ZDI-17-421
29567: ZDI-CAN-5030: Zero Day Initiative Vulnerability (Foxit Reader)
- IPS Version: 3.2.0 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: Not available.
- Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
- Category: Vulnerabilities
- Severity: Critical
- Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Foxit Reader.
- Deployments:
- Deployment: Security-Optimized (Block / Notify)
29568: SMTP: Microsoft Outlook Protected View Security Bypass Vulnerability
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Exploits
- Severity: High
- Description: This filter detects an attempt to exploit a security bypass vulnerability in Microsoft Outlook.
- Deployment: Not enabled by default in any deployment.
- References:
- Bugtraq ID: 97458
- Common Vulnerabilities and Exposures: CVE-2017-0204 CVSS 4.3
29586: HTTP: Nginx ngx_http_range_filter_module Integer Overflow Vulnerability
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Exploits
- Severity: Critical
- Description: This filter detects attempt to exploit an integer overflow in the Nginx web server.
- Deployments:
- Deployment: Default (Block / Notify)
- Deployment: Performance-Optimized (Disabled)
- References:
- Bugtraq ID: 99534
- Common Vulnerabilities and Exposures: CVE-2017-7529 CVSS 5.0
29588: HTTP: Microsoft Windows System Information Console XXE Injection Vulnerability
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Exploits
- Severity: High
- Description: This filter detects an attempt to exploit an XML external entity (XXE) injection vulnerability in the System Information Console component of Microsoft Windows.
- Deployments:
- Deployment: Default (Block / Notify)
- Deployment: Performance-Optimized (Disabled)
- References:
- Bugtraq ID: 99387, 99398
- Common Vulnerabilities and Exposures: CVE-2017-8557 CVSS 2.1
29589: TCP: HPE Intelligent Management Center imcwlandm Buffer Overflow Vulnerability (ZDI-17-315)
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Exploits
- Severity: Critical
- Description: This filter detects an attempt to exploit a buffer overflow vulnerability in Hewlett Packard Enterprise Intelligent Management Center.
- Deployments:
- Deployment: Default (Block / Notify)
- Deployment: Performance-Optimized (Disabled)
- References:
- Bugtraq ID: 98088
- Common Vulnerabilities and Exposures: CVE-2017-5804 CVSS 10.0
- Zero Day Initiative: ZDI-17-315
29598: HTTP: Nitro Pro PDF Command Execution Vulnerability
- IPS Version: 3.2.2 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Vulnerabilities
- Severity: Critical
- Description: This filter detects an attempt to exploit a command execution vulnerability in Nitro Pro PDF.
- Deployments:
- Deployment: Security-Optimized (Block / Notify)
- References:
- Bugtraq ID: 100298
- Common Vulnerabilities and Exposures: CVE-2017-7442 CVSS 6.8
29603: HTTP: Adobe Flash text Object Memory Corruption Vulnerability
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Exploits
- Severity: High
- Description: This filter detects an attempt to exploit a memory corruption vulnerability in Adobe Flash Player.
- Deployments:
- Deployment: Default (Block / Notify)
- Deployment: Performance-Optimized (Disabled)
- References:
- Common Vulnerabilities and Exposures: CVE-2017-11282
29629: SMB: Microsoft Windows SMB Server SMBv1 Out-of-Bounds Read Vulnerability
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Exploits
- Severity: High
- Description: This filter detects an attempt to exploit an out-of-bounds read vulnerability in Microsoft Windows SMB Server.
- Deployments:
- Deployment: Default (Block / Notify)
- Deployment: Performance-Optimized (Disabled)
- References:
- Bugtraq ID: 98259
- Common Vulnerabilities and Exposures: CVE-2017-0267 CVSS 4.3
29630: SSL: GnuTLS status_request Extension Null Pointer Dereference Vulnerability
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Exploits
- Severity: Critical
- Description: This filter detects attempts to exploit a null pointer dereference vulnerability in GnuTLS.
- Deployments:
- Deployment: Default (Block / Notify)
- Deployment: Performance-Optimized (Disabled)
- References:
- Bugtraq ID: 99102
- Common Vulnerabilities and Exposures: CVE-2017-7507 CVSS 5.0
29632: HTTP: Adobe Flash MP4 Memory Corruption Vulnerability
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Exploits
- Severity: Critical
- Description: This filter detects an attempt to exploit a memory corruption vulnerability in Adobe Flash.
- Deployments:
- Deployment: Security-Optimized (Block / Notify)
- References:
- Common Vulnerabilities and Exposures: CVE-2017-11281
Modified Filters (logic changes):
* = Enabled in Default deployments
5561: Tunneling: Iodine DNS Tunneling Request
- IPS Version: 1.0.0 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Detection logic updated.
25357: HTTP: UCanCode E-XD++ Visualization Enterprise Suite TKDrawCAD RotateShape Usage (ZDI-17-422)
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "25357: ZDI-CAN-3907: Zero Day Initiative Vulnerability (UCanCode E-XD++ Visualization Enterprise Suite)".
- Description updated.
- Detection logic updated.
- Vulnerability references updated.
27240: TCP: HPE Intelligent Management Center dbman Opcode 10005 Command Injection (ZDI-17-481,ZDI-17-483)
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Detection logic updated.
27315: HTTP: Cisco Prime Collaboration Provisioning logconfigtracer Directory Traversal (ZDI-17-447,448)
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "27315: HTTP: Cisco Prime Collaboration Provisioning logconfigtracer Directory Traversal (ZDI-17-447)".
- Description updated.
- Detection logic updated.
- Vulnerability references updated.
28320: RPC: RPCBind XDR Parsing Memory Exhaustion Vulnerability
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "28320: RPC: RPCbind GetVersAddr Denial-of-Service Vulnerability".
- Description updated.
- Detection logic updated.
- Vulnerability references updated.
28613: HTTP: Microsoft Edge clip-path Use-After-Free Vulnerability
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category changed from "Exploits" to "Vulnerabilities".
- Description updated.
- Detection logic updated.
- Vulnerability references updated.
- Deployments updated and are now:
- Deployment: Security-Optimized (Block / Notify)
28740: HTTP: HPE IMC dnd Expression Language Injection Vulnerability (ZDI-17-675)
- IPS Version: 3.2.2 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "28740: ZDI-CAN-4853: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)".
- Description updated.
- Detection logic updated.
- Vulnerability references updated.
* 29068: HTTP: Apache Struts 2 Struts 1 Plugin Remote Code Execution Vulnerability
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Detection logic updated.
* 29369: HTTP: Adobe Acrobat Reader WinAnsiEncoding Differences Memory Corruption Vulnerability
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Detection logic updated.
Modified Filters (metadata changes only):
* = Enabled in Default deployments
* 7170: ARP: Address Invalid
- IPS Version: 1.0.0 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
28914: HTTP: HPE IMC operatorGroupSelectContent Code Injection Vulnerability (ZDI-17-688)
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "28914: HTTP: HPE ICM operatorGroupSelectContent Code Injection Vulnerability (ZDI-17-688)".
* 29141: HTTP: HPE Intelligent Management Center Expression Code Injection (ZDI-17-652,ZDI-17-653,ZDI-17-654)
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Vulnerability references updated.
Removed Filters: None
Top of the Page
