Trend Micro - Securing Your Journey to the Cloud Business
Support
Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Digital Vaccine #9007

    • Updated:
    • 3 Oct 2017
    • Product/Version:
    • Platform:
Summary
Digital Vaccine #9007      October 3, 2017
Details
Public
 
Thank you for subscribing to Digital Vaccine updates brought to you by Trend Micro™ TippingPoint DVLabs.

New content is now available at the Threat Management Center (TMC): https://tmc.tippingpoint.com

SMS customers can update the Digital Vaccine through the SMS client. From the top line menu, you can open the "File > Download Digital Vaccine from TMC" menu item to detect and load the latest update.
 
System Requirements
The 3.2.0 DV will run on IPS devices with TOS v3.2.0 and above,  all NGFW and all TPS systems.
The 4.0.0 DV will only run on the Virtual Threat Protection System (vTPS) appliance.
Please note that vTPS does not currently support pre-disclosed ZDI filters.
 
The Digital Vaccine can be manually downloaded from the following URLs:
https://tmc.tippingpoint.com/TMC/ViewPackage?parentFolderId=digital_vaccines&contentId=SIG_3.2.0_9007.pkg
https://tmc.tippingpoint.com/TMC/ViewPackage?parentFolderId=vsa_dv&contentId=SIG_VTPS_4.0.0_9007.pkg

Update Details

Table of Contents
--------------------------
Filters
 New Filters
 Modified Filters (logic changes)
 Modified Filters (metadata changes only)
 Removed Filters

Filters
----------------
 New Filters:

    29135: HTTP: Foxit Reader launchURL Command Injection Vulnerability (ZDI-17-691)
      - IPS Version: 3.2.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a command injection vulnerability in Foxit Reader.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Bugtraq ID: 100409
        - Common Vulnerabilities and Exposures: CVE-2017-10951
        - Zero Day Initiative: ZDI-17-691

    29587: SMB: Microsoft Windows SMB Server Code Execution Vulnerability
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a code execution vulnerability in the SMBv1 component of Microsoft Windows SMB Server.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Bugtraq ID: 96703
        - Common Vulnerabilities and Exposures: CVE-2017-0143 CVSS 9.3
        - Microsoft Security Bulletin: MS17-010

    29631: RDP: Microsoft Windows XP and Server 2003 RDP Buffer Overflow Vulnerability
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a buffer overflow vulnerability in Microsoft Windows XP and Server 2003.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Bugtraq ID: 98752
        - Common Vulnerabilities and Exposures: CVE-2017-0176 CVSS 9.3

    29656: HTTP: Symantec Messaging Gateway backupNow Command Injection Vulnerability
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a command injection vulnerability in Symantec Messaging Gateway.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Bugtraq ID: 98893
        - Common Vulnerabilities and Exposures: CVE-2017-6326 CVSS 10.0

    29657: ZDI-CAN-4992,4993,5042-5055,5061-5065: Zero Day Initiative Vulnerability (Advantech WebAccess)
      - IPS Version: 3.2.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Category: Security Policy
      - Category (3.2 DV): Exploits
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Advantech WebAccess.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)

    29660: HTTP: EMC VMAX3 VASA Provider UploadConfigurator Unrestricted File Upload Vulnerability (ZDI-17-491)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit an unrestricted file upload vulnerability in EMC VMAX3 VASA Provider.
      - Description (3.2 DV): This filter detects an attempt to exploit a unrestricted file upload vulnerability in EMC VMAX3 VASA Provider.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Bugtraq ID: 99169
        - Common Vulnerabilities and Exposures: CVE-2017-4997 CVSS 10.0
        - Zero Day Initiative: ZDI-17-491

    29661: HTTPS: EMC VMAX3 VASA Provider UploadConfigurator Unrestricted File Upload Vulnerability(ZDI-17-491)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit an unrestricted file upload vulnerability in EMC VMAX3 VASA Provider.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Bugtraq ID: 99169
        - Common Vulnerabilities and Exposures: CVE-2017-4997 CVSS 10.0
        - Zero Day Initiative: ZDI-17-491

    29673: HTTP: Symantec Messaging Gateway performRestore Command Injection Vulnerability
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a command injections vulnerability in Symantec Messaging Gateway.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Bugtraq ID: 100135
        - Common Vulnerabilities and Exposures: CVE-2017-6327 CVSS 6.5

    29674: HTTPS: Symantec Messaging Gateway performRestore Command Injection Vulnerability
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a command injections vulnerability in Symantec Messaging Gateway.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Bugtraq ID: 100135
        - Common Vulnerabilities and Exposures: CVE-2017-6327 CVSS 6.5

    29677: HTTP: Microsoft Office Composite Moniker Code Execution Vulnerability
      - IPS Version: 3.2.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a code execution vulnerability in Microsoft Office.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Bugtraq ID: 99445
        - Common Vulnerabilities and Exposures: CVE-2017-8570 CVSS 9.3

    29678: HTTP: Git ssh URL Processing Command Execution Vulnerability
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a command execution vulnerability in Git.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Bugtraq ID: 100279, 100283
        - Common Vulnerabilities and Exposures: CVE-2017-1000117, CVE-2017-12836 CVSS 5.1

    29679: HTTP: Apache Struts 2 REST Plugin Malicious XML Parameter Usage
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Moderate
      - Description: This filter detects an attempt to send malicious XML parameters to Apache Struts 2 REST plugin.
      - Deployment: Not enabled by default in any deployment.
      - References:
        - Bugtraq ID: 100611
        - Common Vulnerabilities and Exposures: CVE-2017-9793

    29683: ZDI-CAN-5057: Zero Day Initiative Vulnerability (Advantech WebAccess)
      - IPS Version: 3.2.0 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Advantech WebAccess.
      - Deployments:
        - Deployment: Default (Block / Notify / Trace)
        - Deployment: Performance-Optimized (Disabled)

    29684: ZDI-CAN-5058: Zero Day Initiative Vulnerability (Advantech WebAccess)
      - IPS Version: 3.2.0 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Advantech WebAccess.
      - Deployments:
        - Deployment: Default (Block / Notify / Trace)
        - Deployment: Performance-Optimized (Disabled)

    29685: HTTP: Microsoft Office WordPerfect Document Converter Buffer Overflow Vulnerability (ZDI-17-730)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a buffer overflow vulnerability in Microsoft Office WordPerfect Document Converter.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Bugtraq ID: 100748
        - Common Vulnerabilities and Exposures: CVE-2017-8744
        - Zero Day Initiative: ZDI-17-730

    29687: ZDI-CAN-5059: Zero Day Initiative Vulnerability (Microsoft Edge)
      - IPS Version: 3.2.0 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Microsoft Edge.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)

    29694: ZDI-CAN-5069: Zero Day Initiative Vulnerability (Microsoft Windows SMB)
      - IPS Version: 3.2.0 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Microsoft Windows SMB.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)

  Modified Filters (logic changes):
    * = Enabled in Default deployments

    24705: TCP: ysoserial Java Deserialization Tool Usage
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Detection logic updated.

    26893: SMB: Microsoft Windows mrxsmb20.dll Denial-of-Service Vulnerability
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Detection logic updated.

    * 28211: ZDI-CAN-4524,4563: Zero Day Initiative Vulnerability (HPE Operations Orchestration)
      - IPS Version: 3.2.0 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Detection logic updated.

    * 28287: ZDI-CAN-4759-4761: Zero Day Initiative Vulnerability (HPE Intelligent Management Center)
      - IPS Version: 3.2.0 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Detection logic updated.

    * 28729: HTTP: Microsoft Chakra eval Integer Overflow Vulnerability (ZDI-17-641)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Detection logic updated.
      - Vulnerability references updated.

    28908: HTTP: HPE IMC userSelectPagingContent Code Injection Vulnerability (ZDI-17-685)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Detection logic updated.
      - Vulnerability references updated.

    * 28981: HTTP: Microsoft Edge Scripting Engine Memory Corruption Vulnerability (ZDI-17-731,ZDI-17-736)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "28981: HTTP: Microsoft Edge Scripting Engine Memory Corruption Vulnerability (ZDI-17-731)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    * 28988: HTTPS: Trend Micro InterScan Web Security GetClusterInfo Command Injection Vulnerability(ZDI-17-214)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Detection logic updated.

    29518: HTTP: Content-Disposition Filename Extension Does Not Match Payload File Type
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Detection logic updated.

  Modified Filters (metadata changes only):
    * = Enabled in Default deployments

    4519: HTTP: Novell eDirectory Server Buffer Overflow (ZDI-06-035)
      - IPS Version: 1.0.0 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "4519: HTTP: Novell eDirectory Server Buffer Overflow".
      - Description updated.
      - Vulnerability references updated.

    4874: HTTP: Computer Associates CAB Filename Buffer Overflow Vulnerability (ZDI-07-034, ZDI-07-035)
      - IPS Version: 1.0.0 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "4874: HTTP: Computer Associates CAB Filename Buffer Overflow Vulnerability (ZDI-07-034)".
      - Description updated.
      - Vulnerability references updated.

    5401: HTTP: Retired ActiveX Control Instantiation (ZDI-07-037)
      - IPS Version: 1.0.0 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "5401: HTTP: Retired ActiveX Control Instantiation".
      - Description updated.
      - Vulnerability references updated.

    * 5535: HTTP: Invalid Windows Media Player Skin Download (ZDI-07-046, ZDI-07-047)
      - IPS Version: 1.0.0 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "5535: HTTP: Invalid Windows Media Player Skin Download (ZDI-07-046)".
      - Description updated.
      - Vulnerability references updated.

    * 12456: HTTP: Apple QuickTime PICT Image Memory Corruption Vulnerability (ZDI-07-066, ZDI-07-067)
      - IPS Version: 1.0.0 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "12456: HTTP: Apple QuickTime PICT Image Memory Corruption Vulnerability".
      - Description updated.
      - Vulnerability references updated.

    16504: HTTP: Internet Explorer HTML Rendering Mode Override
      - IPS Version: 1.0.0 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Deployments updated and are now:
        - Deployment: Security-Optimized (Block / Notify)

    20358: HTTP: Suspicious JavaScript Variable Name
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Deployments updated and are now:
        - No Deployments.

    * 29574: HTTP: Microsoft Windows PDF Memory Corruption Vulnerability (ZDI-17-729)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "29574: HTTP: Microsoft Windows PDF Memory Corruption Vulnerability".
      - Description updated.
      - Vulnerability references updated.

    * 29586: HTTP: Nginx ngx_http_range_filter_module Integer Overflow Vulnerability
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Description updated.

    * 29588: HTTP: Microsoft Windows System Information Console XXE Injection Vulnerability
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Description updated.
      - Vulnerability references updated.

  Removed Filters:   None
  
Top of the Page
Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Deploy
Solution Id:
TP000091056
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.