Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Digital Vaccine #9106

    • Updated:
    • 22 May 2018
    • Product/Version:
    • TippingPoint Digital Vaccine
    • Platform:
Summary
Digital Vaccine #9106      May 22, 2018
Details
Public
Thank you for subscribing to Digital Vaccine updates brought to you by Trend Micro™ TippingPoint DVLabs.

New content is now available at the Threat Management Center (TMC): https://tmc.tippingpoint.com

SMS customers can update the Digital Vaccine through the SMS client. From the top line menu, you can open the "File > Download Digital Vaccine from TMC" menu item to detect and load the latest update.
 
System Requirements
The 3.2.0 DV will run on IPS devices with TOS v3.2.0 and above,  all NGFW and all TPS systems.
The 4.0.0 DV will only run on the Virtual Threat Protection System (vTPS) appliance.
Please note that vTPS does not currently support pre-disclosed ZDI filters.
 
The Digital Vaccine can be manually downloaded from the following URLs:
https://tmc.tippingpoint.com/TMC/ViewPackage?parentFolderId=digital_vaccines&contentId=SIG_3.2.0_9106.pkg
https://tmc.tippingpoint.com/TMC/ViewPackage?parentFolderId=vsa_dv&contentId=SIG_VTPS_4.0.0_9106.pkg

Update Details

Table of Contents
--------------------------

Filters
 New Filters
 Modified Filters (logic changes)
 Modified Filters (metadata changes only)
 Removed Filters

Filters
----------------
 New Filters:
    29454: HTTP: File Download Request from a Suspicious Top-Level Domain
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Low
      - Description: This filter detects an attempt to download a .exe file from a suspicious top-level domain.
      - Deployment: Not enabled by default in any deployment.

    29455: HTTP: File Download Request from a Specific Top-Level Domain (.af)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Low
      - Description: This filter will detect the download of a .exe file from the Afghanistan top-level domain.
      - Deployment: Not enabled by default in any deployment.

    29456: HTTP: File Download Request from a Specific Top-Level Domain (.cn)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Low
      - Description: This filter will detect the download of a .exe file from the People's Republic of China top-level domain.
      - Deployment: Not enabled by default in any deployment.

    29457: HTTP: File Download Request from a Specific Top-Level Domain (.de)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Category: Security Policy
      - Severity: Low
      - Description: This filter will detect the download of a .exe file from the Federal Republic of Germany top-level domain.
      - Deployment: Not enabled by default in any deployment.

    29458: HTTP: File Download Request from a Specific Top-Level Domain (.eu)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Low
      - Description: This filter will detect the download of a .exe file from the European Union top-level domain.
      - Deployment: Not enabled by default in any deployment.

    29459: HTTP: File Download Request from a Specific Top-Level Domain (.fr)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Low
      - Description: This filter will detect the download of a .exe file from the France top-level domain.
      - Deployment: Not enabled by default in any deployment.

    29460: HTTP: File Download Request from a Specific Top-Level Domain (.hk)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Low
      - Description: This filter will detect the download of a .exe file from the Hong Kong top-level domain.
      - Deployment: Not enabled by default in any deployment.

    29461: HTTP: File Download Request From a Specific Top-Level Domain (.kg)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Low
      - Description: This filter will detect the download of a .exe file from the Kyrgyzstan top-level domain.
      - Deployment: Not enabled by default in any deployment.

    29462: HTTP: File Download Request from a Specific Top-Level Domain (.kp)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Low
      - Description: This filter will detect the download of a .exe file from the Democratic People's Republic of Korea top-level domain.
      - Deployment: Not enabled by default in any deployment.

    29463: HTTP: File Download Request from a Specific Top-Level Domain (.kr)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Low
      - Description: This filter will detect the download of a .exe file from the Republic of Korea top-level domain.
      - Deployment: Not enabled by default in any deployment.

    29464: HTTP: File Download Request from a Specific Top-Level Domain (.kz)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Low
      - Description: This filter will detect the download of a .exe file from the Kazakhstan top-level domain.
      - Deployment: Not enabled by default in any deployment.

    29465: HTTP: File Download Request from a Specific Top-Level Domain (.pk)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Low
      - Description: This filter will detect the download of a .exe file from the Pakistan top-level domain.
      - Deployment: Not enabled by default in any deployment.

    29466: HTTP: File Download Request from a Specific Top-Level Domain (.pw)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Low
      - Description: This filter will detect the download of a .exe file from the Palau top-level domain.
      - Deployment: Not enabled by default in any deployment.

    29467: HTTP: File Download Request from a Specific Top-Level Domain (.ru)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Low
      - Description: This filter will detect the download of a .exe file from the Russian Federation top-level domain.
      - Deployment: Not enabled by default in any deployment.

    29468: HTTP: File Download Request from a Specific Top-Level Domain (.su)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Low
      - Description: This filter will detect the download of a .exe file from the Soviet Union top-level domain.
      - Deployment: Not enabled by default in any deployment.

    29469: HTTP: File Download Request from a Specific Top-Level Domain (.sy)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Low
      - Description: This filter will detect the download of a .exe file from the Syria top-level domain.
      - Deployment: Not enabled by default in any deployment.

    29470: HTTP: File Download Request from a Specific Top-Level Domain (.tj)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Low
      - Description: This filter will detect the download of a .exe file from the Tajikistan top-level domain.
      - Deployment: Not enabled by default in any deployment.

    29471: HTTP: File Download Request from a Specific Top-Level Domain (.tm)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Low
      - Description: This filter will detect the download of a .exe file from the Turkmenistan top-level domain.
      - Deployment: Not enabled by default in any deployment.

    29472: HTTP: File Download Request from a Specific Top-Level Domain (.uz)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Low
      - Description: This filter will detect the download of a .exe file from the Uzbekistan top-level domain.
      - Deployment: Not enabled by default in any deployment.

    29473: HTTP: File Download Request from a Specific Top-Level Domain (.ml)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Low
      - Description: This filter will detect the download of a .exe file from the Mali top-level domain.
      - Deployment: Not enabled by default in any deployment.

    29474: HTTP: File Download Request from a Specific Top-Level Domain (.gq)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Low
      - Description: This filter will detect the download of a .exe file from the Equatorial Guinea top-level domain.
      - Deployment: Not enabled by default in any deployment.

    31368: SMTP: SpamAssassin Spam Test String Usage
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Low
      - Description: This filter detects an attempt to use SpamAssassin Spam Test String in an email.
      - Deployment: Not enabled by default in any deployment.
      - References:
        - Bugtraq ID: 10957
        - Common Vulnerabilities and Exposures: CVE-2004-0796 CVSS 5.0

    31688: HTTP: Adobe Acrobat Reader Javascript Buffer Overflow Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a buffer overflow vulnerability in Adobe Acrobat Reader.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2018-4947

    31735: UDP: Check Point VPN-1 ISAKMP Buffer Overflow Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a buffer overflow vulnerability in Check Point FireWall-1 and VPN-1.
      - Deployment: Not enabled by default in any deployment.
      - References:
        - Bugtraq ID: 9582
        - Common Vulnerabilities and Exposures: CVE-2004-0040 CVSS 10.0

    31736: HTTP: InterWoven WorkDocs Cross-Site Scripting Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: High
      - Description: This filter detects an attempt to exploit a cross-site scripting vulnerability in InterWoven WorkDocs.
      - Deployment: Not enabled by default in any deployment.

    31737: UDP: KAME IKE Racoon HASH Arbitrary File Deletion Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit an arbitrary file deletion vulnerability in KAME Project racoon.
      - Deployment: Not enabled by default in any deployment.
      - References:
        - Bugtraq ID: 9416, 9417
        - Common Vulnerabilities and Exposures: CVE-2004-0164 CVSS 5.0

    31738: HTTP: Foxit Reader BMP biWidth Buffer Overflow Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a buffer overflow vulnerability in Foxit Reader.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Bugtraq ID: 103999
        - Common Vulnerabilities and Exposures: CVE-2017-17557 CVSS 6.8

    31739: HTTP: osCommerce Installer Code Injection Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a code injection vulnerability in osCommerce.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)

    31740: SMTP: Dovecot rfc822_parse_domain Out-of-Bounds Read Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit an out-of-bounds vulnerability in Dovecot server.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Bugtraq ID: 103201
        - Common Vulnerabilities and Exposures: CVE-2017-14461

    31744: HTTPS: Dell EMC VMAX Virtual Appliance Manager Directory Traversal Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a directory traversal vulnerability in Dell EMC VMAX Virtual Appliance.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2018-1215

    31745: BGP: Quagga BGP Daemon bgp_capability_msg_parse Denial-of-Service Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a denial-of-service vulnerability in Quagga.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2018-5381

    31746: HTTP: PlaySMS Filename Code Injection Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a code injection vulnerability in PlaySMS.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2017-9080 CVSS 7.5

    31747: HTTP: PlaySMS Phonebook Import Code Injection Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a code injection vulnerability in PlaySMS.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2017-9101 CVSS 7.5

    31748: BGP: Quagga BGP Daemon bgp_update_receive Double Free Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a double free vulnerability in Quagga.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Bugtraq ID: 103105
        - Common Vulnerabilities and Exposures: CVE-2018-5379

    31754: HTTP: GNU Wget Cookie Injection Policy Bypass Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a policy bypass vulnerability in GNU Wget.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Bugtraq ID: 104129
        - Common Vulnerabilities and Exposures: CVE-2018-0494

    31755: HTTP: Mantis Bug Tracker manage_proj_page Code Injection Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a code injection vulnerability in Mantis Bug Tracker.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Bugtraq ID: 31789
        - Common Vulnerabilities and Exposures: CVE-2008-4687 CVSS 9.0

    31756: HTTP: ManageEngine Applications Manager Code Injection Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a code injection vulnerability in ManageEngine Applications Manager.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Bugtraq ID: 103358
        - Common Vulnerabilities and Exposures: CVE-2018-7890

    31757: HTTP: Apache Tika Chmparser Denial-of-Service Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: High
      - Description: This filter detects an attempt to exploit a denial-of-service vulnerability in Apache Tika.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2018-1339

    31758: HTTP: ClipBucket beats_uploader PHP File Upload Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: High
      - Description: This filter detects an attempt to exploit a PHP file upload vulnerability in ClipBucket.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)

    31759: ZDI-CAN-5605: Zero Day Initiative Vulnerability (Microsoft Edge)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Microsoft Edge.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)

    31760: HTTP: HL7 C-CDA CDA.xsl nonXMLBody JavaScript Usage
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Moderate
      - Description: This filter detects an attempt to use JavaScript inside the nonXMLBody element of the CDA.xsl in HL7 C-CDA.
      - Deployment: Not enabled by default in any deployment.
      - References:
        - Common Vulnerabilities and Exposures: CVE-2014-3861 CVSS 4.3

    31761: HTTP: Xpdf Splash DrawImage Integer Overflow Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit an integer overflow vulnerability in Xpdf.
      - Deployment: Not enabled by default in any deployment.
      - References:
        - Common Vulnerabilities and Exposures: CVE-2009-3604

    31762: TCP: Suricata TCP Handshake Content Detection Policy Bypass Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a policy bypass vulnerability in Suricata.
      - Deployment: Not enabled by default in any deployment.
      - References:
        - Common Vulnerabilities and Exposures: CVE-2018-6794

    31763: HTTP: ClipBucket file_name Code Injection Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: High
      - Description: This filter detects an attempt to exploit a code injection vulnerability in ClipBucket.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)

    31764: TCP: NetGain Systems Enterprise Manager RMI Registry Insecure Deserialization (ZDI-17-953)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: High
      - Description: This filter detects an attempt to exploit an insecure deserialization vulnerability in NetGain Systems Enterprise Manager.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Bugtraq ID: 102247
        - Common Vulnerabilities and Exposures: CVE-2017-17406
        - Zero Day Initiative: ZDI-17-953

    31765: HTTP: Squid Reverse Proxy sslBumpAccessCheck Denial-of-Service Vulnerability (ZDI-18-309)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: High
      - Description: This filter detects an attempt to exploit a denial-of-service vulnerability in Squid Proxy.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2018-1172
        - Zero Day Initiative: ZDI-18-309

    31766: HTTP: GNU Emacs Enriched text x-display Code Execution Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a code execution vulnerability in GNU Emacs.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Bugtraq ID: 100873
        - Common Vulnerabilities and Exposures: CVE-2017-14482 CVSS 6.8

    31771: DHCP: Microsoft Windows DHCP Logging Denial-of-Service Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: High
      - Description: This filter detects an attempt to exploit a denial-of-service vulnerability in Microsoft Windows DHCP.
      - Deployment: Not enabled by default in any deployment.
      - References:
        - Common Vulnerabilities and Exposures: CVE-2004-0899 CVSS 5.0
        - Microsoft Security Bulletin: MS04-042

    31772: UDP: Cisco Secure ACS EAP-TLS Authentication Bypass Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: High
      - Description: This filter detects an attempt to exploit an authentication bypass vulnerability in Cisco Secure Access Control Server (ACS).
      - Deployment: Not enabled by default in any deployment.
      - References:
        - Bugtraq ID: 11577
        - Common Vulnerabilities and Exposures: CVE-2004-1099 CVSS 10.0

    31773: HTTP: Apache httpd FilesMatch Directive Security Restriction Bypass Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: High
      - Description: This filter detects an attempt to exploit a security policy bypass vulnerability in Apache httpd.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Bugtraq ID: 103525
        - Common Vulnerabilities and Exposures: CVE-2017-15715

    31774: HTTP: Apple ImageIO GIF Integer Overflow Vulnerability 
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit an integer overflow vulnerability in Apple OSX.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Bugtraq ID: 22630
        - Common Vulnerabilities and Exposures: CVE-2007-1071

    31775: HTTP: Microsoft ISA Server DNS Spoofing Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: High
      - Description: This filter detects an attempt to exploit a DNS spoofing vulnerability in Microsoft Internet Security and Acceleration (ISA) Server and Microsoft Proxy Server.
      - Deployment: Not enabled by default in any deployment.
      - References:
        - Bugtraq ID: 11605
        - Common Vulnerabilities and Exposures: CVE-2004-0892 CVSS 7.5
        - Microsoft Security Bulletin: MS04-039

    31776: ZDI-CAN-5608,5612: Zero Day Initiative Vulnerability (Advantech WebAccess Node)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Advantech WebAccess Node.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)

    31777: ZDI-CAN-5609: Zero Day Initiative Vulnerability (Advantech WebAccess Node)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Advantech WebAccess Node.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)

    31778: ZDI-CAN-5610,5649: Zero Day Initiative Vulnerability (Advantech WebAccess Node)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Advantech WebAccess Node.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)

    31783: HTTP: Citrix Presentation Server Client ActiveX Control Buffer Overflow Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a buffer overflow vulnerability in Citrix Presentation Server Client.
      - Deployment: Not enabled by default in any deployment.

    31784: HTTP: Microsoft Edge Undo Information Disclosure Vulnerability (ZDI-18-428)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: High
      - Description: This filter detects an attempt to exploit an information disclosure vulnerability in Microsoft Edge.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2018-1021
        - Zero Day Initiative: ZDI-18-428

    31785: HTTP: Electron nodeIntegration Security Bypass Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a security bypass vulnerability in the Electron Framework.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2018-1000136

    31786: DNS: DNS Response With NULL Record Type
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Low
      - Description: This filter detects DNS responses with NULL Record Type.
      - Deployment: Not enabled by default in any deployment.

    31787: ZDI-CAN-5613: Zero Day Initiative Vulnerability (Microsoft Edge)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Microsoft Edge.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)

    31788: ZDI-CAN-5640: Zero Day Initiative Vulnerability (Trend Micro Endpoint Application Control)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Trend Micro Endpoint Application Control.
      - Deployments:
        - Deployment: Default (Block / Notify / Trace)
        - Deployment: Performance-Optimized (Disabled)

    31789: ZDI-CAN-5643: Zero Day Initiative Vulnerability (Advantech WebAccess HMI Designer)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Advantech WebAccess HMI Designer.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)

    31842: ZDI-CAN-5650: Zero Day Initiative Vulnerability (Advantech WebAccess Node)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Advantech WebAccess Node.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)

    31843: ZDI-CAN-5651: Zero Day Initiative Vulnerability (Advantech WebAccess Node)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Advantech WebAccess Node.
      - Deployments:
        - Deployment: Default (Block / Notify / Trace)
        - Deployment: Performance-Optimized (Disabled)

    31844: ZDI-CAN-5652: Zero Day Initiative Vulnerability (Advantech WebAccess Node)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Advantech WebAccess Node.
      - Deployments:
        - Deployment: Default (Block / Notify / Trace)
        - Deployment: Performance-Optimized (Disabled)

    31846: ZDI-CAN-5653: Zero Day Initiative Vulnerability (Advantech WebAccess Node)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Advantech WebAccess Node.
      - Deployments:
        - Deployment: Default (Block / Notify / Trace)
        - Deployment: Performance-Optimized (Disabled)

    31847: ZDI-CAN-5654: Zero Day Initiative Vulnerability (Advantech WebAccess Node)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Advantech WebAccess Node.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)

    31851: DHCP: Red Hat Fedora DHCP Client NetworkManager Input Validation Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit an input validation vulnerability in Red Hat Fedora DHCP client NetworkManager.
      - Deployment: Not enabled by default in any deployment.
      - References:
        - Bugtraq ID: 104195
        - Common Vulnerabilities and Exposures: CVE-2018-1111

  Modified Filters (logic changes):
    * = Enabled in Default deployments

    * 2772: MS-RPC: DCOM ISystemActivator Memory Leak/DOS
      - IPS Version: 1.0.0 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    * 8213: MS-RPC: Invalid Enumeration Response
      - IPS Version: 1.0.0 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Detection logic updated.

    19690: HTTP: Microsoft IIS Integer Overflow Vulnerability
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Detection logic updated.

    29346: HTTP: Apache HTTP Server ap_find_token Denial-of-Service Vulnerability
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Detection logic updated.

    29660: HTTP: Dell EMC Multiple Products Directory Traversal Vulnerability (ZDI-17-491)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "29660: HTTP: EMC VMAX3 VASA Provider UploadConfigurator Unrestricted File Upload Vulnerability (ZDI-17-491)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    30528: HTTP: Adobe Acrobat Pro XPS Vector Memory Corruption Vulnerability (ZDI-18-208)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    31070: HTTP: Microsoft Windows TrueType Font Memory Corruption Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    31072: HTTP: Microsoft Windows TrueType Font Memory Corruption Vulnerability 
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    * 31136: HTTP: Microsoft Malware Protection Engine RAR VMSF_RGB Memory Corruption Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "31136: HTTP: Microsoft Malware Protection Engine Memory Corruption Vulnerability".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    31629: ZDI-CAN-5597,5606,5607,5611: Zero Day Initiative Vulnerability (Advantech WebAccess Node)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Name changed from "31629: ZDI-CAN-5597: Zero Day Initiative Vulnerability (Advantech WebAccess Node)".
      - Detection logic updated.
      - Vulnerability references updated.

  Modified Filters (metadata changes only):
    * = Enabled in Default deployments

    * 3706: NDMP: Veritas Backup Exec Agent Security Bypass Vulnerability
      - IPS Version: 1.0.0 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "3706: NDMP: Veritas Backup Exec Agent Security Bypass vulnerability".

    13004: TCP: ActFax LPD Server Buffer Overflow Vulnerability
      - IPS Version: 1.0.0 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Vulnerability references updated.

    19507: HTTP: ManageEngine Multiple Products Directory Traversal Vulnerability
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "19507: HTTP: Manage Engine Multiple Products Directory Traversal Vulnerability".
      - Description updated.
      - Vulnerability references updated.

    24705: TCP: ysoserial Java Deserialization Tool Usage (ZDI-17-953)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Description updated.
      - Vulnerability references updated.

    30464: HTTP: Electron setAsDefaultProtocolClient Command Injection Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "30464: HTTP: GitHub Electron setAsDefaultProtocolClient Command Injection Vulnerability".
      - Vulnerability references updated.

    * 31552: HTTP: Microsoft Edge CSS Use-After-Free Vulnerability (ZDI-18-433)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "31552: HTTP: Microsoft Edge CSS Use-After-Free Vulnerability".
      - Description updated.
      - Vulnerability references updated.

    31556: HTTP: Microsoft Office Buffer Overflow Vulnerability (ZDI-18-430)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "31556: HTTP: Microsoft Office Buffer Overflow Vulnerability ".
      - Description updated.
      - Vulnerability references updated.

    31558: HTTP: Microsoft Win32k Use-After-Free Vulnerability (ZDI-18-427)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "31558: HTTP: Microsoft Win32k Use-After-Free Vulnerability ".
      - Description updated.
      - Vulnerability references updated.

    31559: HTTP: Microsoft Excel Memory Corruption Vulnerability (ZDI-18-432)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "31559: HTTP: Microsoft Excel Memory Corruption Vulnerability".
      - Description updated.
      - Vulnerability references updated.

    31586: SMS: Microsoft Systems Management Server Remote Control Service Denial-of-Service Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Vulnerability references updated.

    31623: HTTP: Microsoft Teams URL Command Injection Vulnerability (ZDI-18-426)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "31623: ZDI-CAN-5589: Zero Day Initiative Vulnerability (Microsoft Teams)".
      - Description updated.
      - Vulnerability references updated.

  Removed Filters: None
Top of the Page
Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Deploy
Solution Id:
TP000107782
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.