Digital Vaccine #9033

Thank you for subscribing to Digital Vaccine updates brought to you by Trend Micro™ TippingPoint DVLabs. New content is now available at the Threat Management Center (TMC): https://tmc.tippingpoint.com SMS customers can update the Digital Vaccine through the SMS client. From the top line menu, you can open the "File > Download Digital Vaccine from TMC" menu item to detect and load the latest update.

 

System Requirements

The 3.2.0 DV will run on IPS devices with TOS v3.2.0 and above,  all NGFW and all TPS systems. The 4.0.0 DV will only run on the Virtual Threat Protection System (vTPS) appliance. Please note that vTPS does not currently support pre-disclosed ZDI filters.

 

Microsoft Security Bulletins This DV includes coverage for the Microsoft vulnerabilities released on or before November 14, 2017. The following table maps TippingPoint filters to the Microsoft CVEs.
CVE #	TippingPoint Filter #	Status
CVE-2017-11768		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11770		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11788		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11791	29921
CVE-2017-11803		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11827		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11830		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11831		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11832		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11833		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11834		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11835		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11836		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11837	29923
CVE-2017-11838		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11839		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11840	29926
CVE-2017-11841	29933
CVE-2017-11842		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11843	29931
CVE-2017-11844		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11845	29930
CVE-2017-11846	29932
CVE-2017-11847	29924
CVE-2017-11848		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11849		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11850		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11851		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11852		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11853		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11854	29929
CVE-2017-11855	29918
CVE-2017-11856	*29744
CVE-2017-11858	*29832
CVE-2017-11861	29925
CVE-2017-11862		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11863		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11866		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11867		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11869	*29794
CVE-2017-11870		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11871		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11872		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11873	29927
CVE-2017-11874		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11876		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11877		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11878	*29784
CVE-2017-11879		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11880		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11882		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11883		Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8700		Vendor Deemed Reproducibility or Exploitation Unlikely
Filters marked with * shipped prior to this DV, providing zero-day protection.

 

The Digital Vaccine can be manually downloaded from the following URLs: https://tmc.tippingpoint.com/TMC/ViewPackage?parentFolderId=digital_vaccines&contentId=SIG_3.2.0_9033.pkg https://tmc.tippingpoint.com/TMC/ViewPackage?parentFolderId=vsa_dv&contentId=SIG_VTPS_4.0.0_9033.pkg

Update Details

Table of Contents
--------------------------
Filters
 New Filters
 Modified Filters (logic changes)
 Modified Filters (metadata changes only)
 Removed Filters

Filters
----------------
 New Filters:

    29918: HTTP: Microsoft Internet Explorer TypeError Memory Corruption Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a memory corruption vulnerability in Microsoft Internet Explorer.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2017-11855

    29921: HTTP: Microsoft Edge removeEventListener Information Disclosure Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: High
      - Description: This filter detects an attempt to exploit an information disclosure vulnerability in Microsoft Edge.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2017-11791

    29923: HTTP: Microsoft Edge Array Use-After-Free Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a use-after-free vulnerability in Microsoft Edge.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2017-11837

    29924: HTTP: Microsoft Windows Kernel Privilege Escalation Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a privilege escalation vulnerability in Microsoft Windows.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2017-11847

    29925: HTTP: Microsoft Edge Typed Array Memory Corruption Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a memory corruption vulnerability in Microsoft Edge.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2017-11861

    29926: HTTP: Microsoft Edge Array Type Confusion Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a type confusion vulnerability in Microsoft Edge.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2017-11840

    29927: HTTP: Microsoft Edge Typed Array Type Confusion Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a type confusion vulnerability in Microsoft Edge.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2017-11873

    29929: HTTP: Microsoft Word RTF Memory Corruption Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a memory corruption vulnerability in Microsoft Word.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2017-11854

    29930: HTTP: Microsoft Edge transition-property Memory Corruption Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a memory corruption vulnerability in Microsoft Edge.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2017-11845

    29931: HTTP: Microsoft Edge getOwnPropertyDescriptor Use-After-Free Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a use-after-free vulnerability in Microsoft Edge.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2017-11843

    29932: HTTP: Microsoft Chakra textarea Memory Corruption Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a memory corruption vulnerability in Microsoft Chakra.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2017-11846

    29933: HTTP: Microsoft Edge Call Memory Corruption Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a memory corruption vulnerability in Microsoft Edge.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2017-11841

    29934: ZDI-CAN-5140: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Adobe Acrobat Pro DC.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)

    29935: ZDI-CAN-5141: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Adobe Acrobat Pro DC.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)

    29936: ZDI-CAN-5142: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Adobe Acrobat Pro DC.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)

    29937: ZDI-CAN-5143: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Adobe Acrobat Pro DC.
      - Deployments:
        - Deployment: Default (Block / Notify / Trace)
        - Deployment: Performance-Optimized (Disabled)

    29938: ZDI-CAN-5144: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Adobe Acrobat Pro DC.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)

    29939: ZDI-CAN-5145: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Adobe Acrobat Pro DC.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)

    29958: HTTP: MANTISTEK Cloud Driver Reporting Request
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.1.0 and after.
      - TPS Version: Not available.
      - vTPS Version: Not available.
      - Category: Security Policy
      - Severity: Low
      - Description: This filter detects usage of the MANTISTEK Cloud Driver over the HTTP protocol.
      - Deployment: Not enabled by default in any deployment.

  Modified Filters (logic changes):
    * = Enabled in Default deployments

    25458: HTTP: Flexense DiskPulse Enterprise Server Buffer Overflow Vulnerability
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Detection logic updated.

    * 28031: HTTP: Flexense Multiple Product Import Command Buffer Overflow Vulnerability
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Detection logic updated.

    * 28311: HTTP: Trend Micro Mobile Security for Enterprise database_name SQL Injection (ZDI-17-791)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "28311: ZDI-CAN-4786: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    * 28312: HTTP: Trend Micro Mobile Security for Enterprise edit_eas_note SQL Injection (ZDI-17-795)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "28312: ZDI-CAN-4791: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    * 28313: HTTP: Trend Micro Mobile Security for Enterprise SQL Injection Vulnerability (ZDI-17-796,797,799)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "28313: ZDI-CAN-4792-4793,4796: Zero Day Initiative Vulnerability (Trend Micro Mobile Security)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    * 28317: HTTP: Trend Micro Mobile Security for Enterprise delete_user SQL Injection Vulnerability(ZDI-17-798)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "28317: ZDI-CAN-4794: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    * 28462: HTTP: Trend Micro Mobile Security for Enterprise SQL Injection Vulnerability (ZDI-17-758,769,780)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "28462: ZDI-CAN-4661,4690,4673: Zero Day Initiative Vulnerability (Trend Micro Mobile Security)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    28465: SMB: Linux Samba Code Execution Vulnerability (EternalRed)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Detection logic updated.

    * 28536: HTTP: Trend Micro Mobile Security for Enterprise invite_devices SQL Injection (ZDI-17-749)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "28536: ZDI-CAN-4652: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    29744: HTTP: Microsoft Windows JavaScript Array Use-After-Free Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "29744: ZDI-CAN-5077: Zero Day Initiative Vulnerability (Microsoft Edge)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    * 29766: HTTP: Microsoft Office OOXML Type Confusion Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    * 29832: HTTP: Microsoft Chakra Regular Expression Integer Overflow Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "29832: ZDI-CAN-5198: Zero Day Initiative Vulnerability (Microsoft Chakra)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

  Modified Filters (metadata changes only):
    * = Enabled in Default deployments

    * 26410: HTTP: Microsoft Word RTF Memory Corruption Vulnerability
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category changed from "Vulnerabilities" to "Exploits".

    * 27484: HTTP: Microsoft Word RTF Memory Corruption Vulnerability
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category changed from "Vulnerabilities" to "Exploits".

    * 29784: HTTP: Microsoft Excel Use-After-Free Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "29784: ZDI-CAN-5105: Zero Day Initiative Vulnerability (Microsoft Office Excel)".
      - Description updated.
      - Vulnerability references updated.

    * 29794: HTTP: Microsoft Windows VBScript Join Function Integer Overflow Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "29794: ZDI-CAN-5112: Zero Day Initiative Vulnerability (Microsoft Windows)".
      - Description updated.
      - Vulnerability references updated.

  Removed Filters: None
  
   
Top of the Page