Summary
Digital Vaccine #9007 October 3, 2017
Details
Thank you for subscribing to Digital Vaccine updates brought to you by Trend Micro™ TippingPoint DVLabs. New content is now available at the Threat Management Center (TMC): https://tmc.tippingpoint.com SMS customers can update the Digital Vaccine through the SMS client. From the top line menu, you can open the "File > Download Digital Vaccine from TMC" menu item to detect and load the latest update. |
System Requirements |
The 3.2.0 DV will run on IPS devices with TOS v3.2.0 and above, all NGFW and all TPS systems. The 4.0.0 DV will only run on the Virtual Threat Protection System (vTPS) appliance. Please note that vTPS does not currently support pre-disclosed ZDI filters. |
The Digital Vaccine can be manually downloaded from the following URLs: https://tmc.tippingpoint.com/TMC/ViewPackage?parentFolderId=digital_vaccines&contentId=SIG_3.2.0_9007.pkg https://tmc.tippingpoint.com/TMC/ViewPackage?parentFolderId=vsa_dv&contentId=SIG_VTPS_4.0.0_9007.pkg |
Update Details
Table of Contents
--------------------------
Filters
New Filters
Modified Filters (logic changes)
Modified Filters (metadata changes only)
Removed Filters
Filters
----------------
New Filters:
29135: HTTP: Foxit Reader launchURL Command Injection Vulnerability (ZDI-17-691)
- IPS Version: 3.2.2 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Vulnerabilities
- Severity: Critical
- Description: This filter detects an attempt to exploit a command injection vulnerability in Foxit Reader.
- Deployments:
- Deployment: Security-Optimized (Block / Notify)
- References:
- Bugtraq ID: 100409
- Common Vulnerabilities and Exposures: CVE-2017-10951
- Zero Day Initiative: ZDI-17-691
29587: SMB: Microsoft Windows SMB Server Code Execution Vulnerability
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Exploits
- Severity: Critical
- Description: This filter detects an attempt to exploit a code execution vulnerability in the SMBv1 component of Microsoft Windows SMB Server.
- Deployments:
- Deployment: Default (Block / Notify)
- Deployment: Performance-Optimized (Disabled)
- References:
- Bugtraq ID: 96703
- Common Vulnerabilities and Exposures: CVE-2017-0143 CVSS 9.3
- Microsoft Security Bulletin: MS17-010
29631: RDP: Microsoft Windows XP and Server 2003 RDP Buffer Overflow Vulnerability
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Exploits
- Severity: Critical
- Description: This filter detects an attempt to exploit a buffer overflow vulnerability in Microsoft Windows XP and Server 2003.
- Deployments:
- Deployment: Default (Block / Notify)
- Deployment: Performance-Optimized (Disabled)
- References:
- Bugtraq ID: 98752
- Common Vulnerabilities and Exposures: CVE-2017-0176 CVSS 9.3
29656: HTTP: Symantec Messaging Gateway backupNow Command Injection Vulnerability
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Exploits
- Severity: Critical
- Description: This filter detects an attempt to exploit a command injection vulnerability in Symantec Messaging Gateway.
- Deployments:
- Deployment: Default (Block / Notify)
- Deployment: Performance-Optimized (Disabled)
- References:
- Bugtraq ID: 98893
- Common Vulnerabilities and Exposures: CVE-2017-6326 CVSS 10.0
29657: ZDI-CAN-4992,4993,5042-5055,5061-5065: Zero Day Initiative Vulnerability (Advantech WebAccess)
- IPS Version: 3.2.2 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: Not available.
- Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
- Category: Security Policy
- Category (3.2 DV): Exploits
- Severity: Critical
- Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Advantech WebAccess.
- Deployments:
- Deployment: Security-Optimized (Block / Notify)
29660: HTTP: EMC VMAX3 VASA Provider UploadConfigurator Unrestricted File Upload Vulnerability (ZDI-17-491)
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Vulnerabilities
- Severity: Critical
- Description: This filter detects an attempt to exploit an unrestricted file upload vulnerability in EMC VMAX3 VASA Provider.
- Description (3.2 DV): This filter detects an attempt to exploit a unrestricted file upload vulnerability in EMC VMAX3 VASA Provider.
- Deployments:
- Deployment: Security-Optimized (Block / Notify)
- References:
- Bugtraq ID: 99169
- Common Vulnerabilities and Exposures: CVE-2017-4997 CVSS 10.0
- Zero Day Initiative: ZDI-17-491
29661: HTTPS: EMC VMAX3 VASA Provider UploadConfigurator Unrestricted File Upload Vulnerability(ZDI-17-491)
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Vulnerabilities
- Severity: Critical
- Description: This filter detects an attempt to exploit an unrestricted file upload vulnerability in EMC VMAX3 VASA Provider.
- Deployments:
- Deployment: Default (Block / Notify)
- Deployment: Performance-Optimized (Disabled)
- References:
- Bugtraq ID: 99169
- Common Vulnerabilities and Exposures: CVE-2017-4997 CVSS 10.0
- Zero Day Initiative: ZDI-17-491
29673: HTTP: Symantec Messaging Gateway performRestore Command Injection Vulnerability
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Vulnerabilities
- Severity: Critical
- Description: This filter detects an attempt to exploit a command injections vulnerability in Symantec Messaging Gateway.
- Deployments:
- Deployment: Security-Optimized (Block / Notify)
- References:
- Bugtraq ID: 100135
- Common Vulnerabilities and Exposures: CVE-2017-6327 CVSS 6.5
29674: HTTPS: Symantec Messaging Gateway performRestore Command Injection Vulnerability
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Exploits
- Severity: Critical
- Description: This filter detects an attempt to exploit a command injections vulnerability in Symantec Messaging Gateway.
- Deployments:
- Deployment: Default (Block / Notify)
- Deployment: Performance-Optimized (Disabled)
- References:
- Bugtraq ID: 100135
- Common Vulnerabilities and Exposures: CVE-2017-6327 CVSS 6.5
29677: HTTP: Microsoft Office Composite Moniker Code Execution Vulnerability
- IPS Version: 3.2.2 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Vulnerabilities
- Severity: Critical
- Description: This filter detects an attempt to exploit a code execution vulnerability in Microsoft Office.
- Deployments:
- Deployment: Security-Optimized (Block / Notify)
- References:
- Bugtraq ID: 99445
- Common Vulnerabilities and Exposures: CVE-2017-8570 CVSS 9.3
29678: HTTP: Git ssh URL Processing Command Execution Vulnerability
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Exploits
- Severity: Critical
- Description: This filter detects an attempt to exploit a command execution vulnerability in Git.
- Deployments:
- Deployment: Default (Block / Notify)
- Deployment: Performance-Optimized (Disabled)
- References:
- Bugtraq ID: 100279, 100283
- Common Vulnerabilities and Exposures: CVE-2017-1000117, CVE-2017-12836 CVSS 5.1
29679: HTTP: Apache Struts 2 REST Plugin Malicious XML Parameter Usage
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Security Policy
- Severity: Moderate
- Description: This filter detects an attempt to send malicious XML parameters to Apache Struts 2 REST plugin.
- Deployment: Not enabled by default in any deployment.
- References:
- Bugtraq ID: 100611
- Common Vulnerabilities and Exposures: CVE-2017-9793
29683: ZDI-CAN-5057: Zero Day Initiative Vulnerability (Advantech WebAccess)
- IPS Version: 3.2.0 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: Not available.
- Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
- Category: Vulnerabilities
- Severity: Critical
- Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Advantech WebAccess.
- Deployments:
- Deployment: Default (Block / Notify / Trace)
- Deployment: Performance-Optimized (Disabled)
29684: ZDI-CAN-5058: Zero Day Initiative Vulnerability (Advantech WebAccess)
- IPS Version: 3.2.0 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: Not available.
- Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
- Category: Vulnerabilities
- Severity: Critical
- Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Advantech WebAccess.
- Deployments:
- Deployment: Default (Block / Notify / Trace)
- Deployment: Performance-Optimized (Disabled)
29685: HTTP: Microsoft Office WordPerfect Document Converter Buffer Overflow Vulnerability (ZDI-17-730)
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Exploits
- Severity: Critical
- Description: This filter detects an attempt to exploit a buffer overflow vulnerability in Microsoft Office WordPerfect Document Converter.
- Deployments:
- Deployment: Default (Block / Notify)
- Deployment: Performance-Optimized (Disabled)
- References:
- Bugtraq ID: 100748
- Common Vulnerabilities and Exposures: CVE-2017-8744
- Zero Day Initiative: ZDI-17-730
29687: ZDI-CAN-5059: Zero Day Initiative Vulnerability (Microsoft Edge)
- IPS Version: 3.2.0 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: Not available.
- Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
- Category: Vulnerabilities
- Severity: Critical
- Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Microsoft Edge.
- Deployments:
- Deployment: Security-Optimized (Block / Notify)
29694: ZDI-CAN-5069: Zero Day Initiative Vulnerability (Microsoft Windows SMB)
- IPS Version: 3.2.0 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: Not available.
- Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
- Category: Vulnerabilities
- Severity: Critical
- Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Microsoft Windows SMB.
- Deployments:
- Deployment: Security-Optimized (Block / Notify)
Modified Filters (logic changes):
* = Enabled in Default deployments
24705: TCP: ysoserial Java Deserialization Tool Usage
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Detection logic updated.
26893: SMB: Microsoft Windows mrxsmb20.dll Denial-of-Service Vulnerability
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Detection logic updated.
* 28211: ZDI-CAN-4524,4563: Zero Day Initiative Vulnerability (HPE Operations Orchestration)
- IPS Version: 3.2.0 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: Not available.
- Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
- Detection logic updated.
* 28287: ZDI-CAN-4759-4761: Zero Day Initiative Vulnerability (HPE Intelligent Management Center)
- IPS Version: 3.2.0 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: Not available.
- Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
- Detection logic updated.
* 28729: HTTP: Microsoft Chakra eval Integer Overflow Vulnerability (ZDI-17-641)
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Detection logic updated.
- Vulnerability references updated.
28908: HTTP: HPE IMC userSelectPagingContent Code Injection Vulnerability (ZDI-17-685)
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Detection logic updated.
- Vulnerability references updated.
* 28981: HTTP: Microsoft Edge Scripting Engine Memory Corruption Vulnerability (ZDI-17-731,ZDI-17-736)
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "28981: HTTP: Microsoft Edge Scripting Engine Memory Corruption Vulnerability (ZDI-17-731)".
- Description updated.
- Detection logic updated.
- Vulnerability references updated.
* 28988: HTTPS: Trend Micro InterScan Web Security GetClusterInfo Command Injection Vulnerability(ZDI-17-214)
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Detection logic updated.
29518: HTTP: Content-Disposition Filename Extension Does Not Match Payload File Type
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Detection logic updated.
Modified Filters (metadata changes only):
* = Enabled in Default deployments
4519: HTTP: Novell eDirectory Server Buffer Overflow (ZDI-06-035)
- IPS Version: 1.0.0 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "4519: HTTP: Novell eDirectory Server Buffer Overflow".
- Description updated.
- Vulnerability references updated.
4874: HTTP: Computer Associates CAB Filename Buffer Overflow Vulnerability (ZDI-07-034, ZDI-07-035)
- IPS Version: 1.0.0 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "4874: HTTP: Computer Associates CAB Filename Buffer Overflow Vulnerability (ZDI-07-034)".
- Description updated.
- Vulnerability references updated.
5401: HTTP: Retired ActiveX Control Instantiation (ZDI-07-037)
- IPS Version: 1.0.0 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "5401: HTTP: Retired ActiveX Control Instantiation".
- Description updated.
- Vulnerability references updated.
* 5535: HTTP: Invalid Windows Media Player Skin Download (ZDI-07-046, ZDI-07-047)
- IPS Version: 1.0.0 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "5535: HTTP: Invalid Windows Media Player Skin Download (ZDI-07-046)".
- Description updated.
- Vulnerability references updated.
* 12456: HTTP: Apple QuickTime PICT Image Memory Corruption Vulnerability (ZDI-07-066, ZDI-07-067)
- IPS Version: 1.0.0 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "12456: HTTP: Apple QuickTime PICT Image Memory Corruption Vulnerability".
- Description updated.
- Vulnerability references updated.
16504: HTTP: Internet Explorer HTML Rendering Mode Override
- IPS Version: 1.0.0 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Deployments updated and are now:
- Deployment: Security-Optimized (Block / Notify)
20358: HTTP: Suspicious JavaScript Variable Name
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Deployments updated and are now:
- No Deployments.
* 29574: HTTP: Microsoft Windows PDF Memory Corruption Vulnerability (ZDI-17-729)
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "29574: HTTP: Microsoft Windows PDF Memory Corruption Vulnerability".
- Description updated.
- Vulnerability references updated.
* 29586: HTTP: Nginx ngx_http_range_filter_module Integer Overflow Vulnerability
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
* 29588: HTTP: Microsoft Windows System Information Console XXE Injection Vulnerability
- IPS Version: 3.1.3 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
- Vulnerability references updated.
Removed Filters: None
Top of the Page