Digital Vaccine #9171

Thank you for subscribing to Digital Vaccine updates brought to you by Trend Micro™ TippingPoint DVLabs.

New content is now available at the Threat Management Center (TMC): https://tmc.tippingpoint.com

SMS customers can update the Digital Vaccine through the SMS client. From the top line menu, you can open the "File > Download Digital Vaccine from TMC" menu item to detect and load the latest update.
System Requirements
The 3.2.0 DV will run on IPS devices with TOS v3.2.0 and above, all NGFW and all TPS systems. The 4.0.0 DV will only run on the Virtual Threat Protection System (vTPS) appliance.
Please note that vTPS does not currently support pre-disclosed ZDI filters.
The Digital Vaccine can be manually downloaded from the following URLs:
https://tmc.tippingpoint.com/TMC/ViewPackage?parentFolderId=digital_vaccines&contentId=SIG_3.2.0_9171.pkg
https://tmc.tippingpoint.com/TMC/ViewPackage?parentFolderId=vsa_dv&contentId=SIG_VTPS_4.0.0_9171.pkg
Update Details

Table of Contents
--------------------------
Filters
New Filters
Modified Filters (logic changes)
Modified Filters (metadata changes only)
Removed Filters

Filters
----------------
New Filters:
    32896: HTTP: Apache httpd mod_md Null Pointer Dereference Denial-of-Service Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: High
      - Description: This filter detects an attempt to exploit a denial-of-service vulnerability in Apache httpd.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2018-8011 CVSS 6.1

    33056: DNS: Samba AD DC Null Pointer Dereference Denial-of-Service Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: High
      - Description: This filter detects an attempt to exploit a denial-of-service vulnerability in Samba AD DC.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2018-1140

    33061: HTTP: ABB Panel Builder 800 Comli CommandLineOptions Stack-based Buffer Overflow (ZDI-18-883)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a buffer overflow in ABB Panel Build 800 Comli.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2018-10616
        - Zero Day Initiative: ZDI-18-883

    33063: SMTP: RAR Attachment Containing .iqy File
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Low
      - Description: This filter detects an attempt to transfer a .rar file containing an Internet Query File format used by Microsoft Excel (.iqy) file over SMTP.
      - Deployment: Not enabled by default in any deployment.

    33064: HTTP: Zoho ManageEngine OpManager FailOverHelperServlet Cross-Site Scripting Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: High
      - Description: This filter detects an attempt to exploit a cross-site scripting vulnerability in Zoho ManageEngine OpManager.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2018-12998 CVSS 6.8

    33065: HTTP: Microsoft Windows StructuredQuery Uninitialized Pointer Memory Corruption Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a memory corruption vulnerability in Microsoft Windows.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2018-8345

    33077: HTTP: Microsoft Windows Image ICC Profile Code Execution
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a code execution vulnerability in Microsoft Windows.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2018-8475

    33078: HTTP: GNU Libextractor ZIP File Comment Out-of-Bounds Read Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: High
      - Description: This filter detects an attempt to exploit an out-of-bounds read vulnerability in Libextractor.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2018-16430

    33079: ZDI-CAN-7146: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Adobe Acrobat Pro DC.
      - Deployments:
        - Deployment: Default (Block / Notify / Trace)
        - Deployment: Performance-Optimized (Disabled)

    33080: ZDI-CAN-7147: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Adobe Acrobat Pro DC.
      - Deployments:
        - Deployment: Default (Block / Notify / Trace)
        - Deployment: Performance-Optimized (Disabled)

    33083: ZDI-CAN-6576: Zero Day Initiative Vulnerability (LAquis SCADA)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting LAquis SCADA.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)

    33086: HTTP: Microsoft Exchange Server Voicemail Transcription Handler Override (ZDI-18-944)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Moderate
      - Description: This filter detects traffic that overrides the default voice transcription handler in Microsoft Exchange.
      - Deployment: Not enabled by default in any deployment.
      - References:
        - Common Vulnerabilities and Exposures: CVE-2018-8302
        - Zero Day Initiative: ZDI-18-944

    33087: HTTP: Apple macOS M4A Parsing Buffer Overflow Vulnerability (ZDI-17-189)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a buffer overflow vulnerability in the Apple macOS.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2017-2462
        - Zero Day Initiative: ZDI-17-189

    33088: TCP: HPE Intelligent Management Center imcwlandm UserName Buffer Overflow Vulnerability(ZDI-18-1000)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a buffer overflow vulnerability in Hewlett Packard Enterprise Intelligent Management Center.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Zero Day Initiative: ZDI-18-1000

    33089: HTTP: Apple macOS M4A Parsing Type Confusion Vulnerability (ZDI-17-190)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a type confusion vulnerability in the Apple macOS.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2017-2430
        - Zero Day Initiative: ZDI-17-190

    33090: HTTP: Apple Safari RenderFlowThread Out-of-Bounds Read Vulnerability (ZDI-17-822)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit an out-of-bounds read vulnerability in the Apple Safari.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2017-7091
        - Zero Day Initiative: ZDI-17-822

    33091: HTTP: PHP Apache2 Chunked Transfer-Encoding With Java Script Payload Detection
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Moderate
      - Description: This filter detects an attempt to post a JavaScript payload to the Apache2 component in PHP when the Transfer-Encoding is set to chunked.
      - Deployment: Not enabled by default in any deployment.
      - References:
        - Common Vulnerabilities and Exposures: CVE-2018-17082

  Modified Filters (logic changes):
    * = Enabled in Default deployments

    * 8803: HTTP: Adobe Flash Player for Linux Command Execution
      - IPS Version: 1.0.0 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Detection logic updated.
      - Vulnerability references updated.

    * 29742: HTTP: Adobe Flash addCustomHeader Out-Of-Bounds Read Vulnerability (ZDI-17-996)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "29742: ZDI-CAN-5074: Zero Day Initiative Vulnerability (Adobe Flash)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    * 30238: HTTP: Microsoft Windows Font EOT Information Disclosure Vulnerability (ZDI-17-1014)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "30238: ZDI-CAN-5315: Zero Day Initiative Vulnerability (Microsoft Windows)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    * 30240: HTTP: Microsoft Windows Font EOT Information Disclosure Vulnerability (ZDI-17-1010)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "30240: ZDI-CAN-5317: Zero Day Initiative Vulnerability (Microsoft Windows)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    * 30243: HTTP: Microsoft Office Excel XLS Use-After-Free Vulnerability (ZDI-17-929)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "30243: ZDI-CAN-5320: Zero Day Initiative Vulnerability (Microsoft Office)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    * 30273: HTTP: Microsoft Chakra Typed Array Use-After-Free Vulnerability (ZDI-17-1016,ZDI-18-580)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "30273: HTTP: Microsoft Chakra Typed Array Use-After-Free Vulnerability (ZDI-18-580)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

  Modified Filters (metadata changes only):
    * = Enabled in Default deployments

    20815: HTTP: Microsoft Windows VBScript Filter Function Use-After-Free Vulnerability(ZDI-15-592,ZDI-18-123)
      - IPS Version: 1.0.0 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Vulnerability references updated.

    24325: HTTP: ARRIS VAP2500 txt_mac Command Injection Vulnerability (ZDI-16-691)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "24325: ZDI-CAN-3868: Zero Day Initiative Vulnerability (ARRIS VAP2500)".
      - Description updated.
      - Vulnerability references updated.

    24326: HTTP: ARRIS VAP2500 tools_command Command Injection Vulnerability (ZDI-16-692)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "24326: ZDI-CAN-3869: Zero Day Initiative Vulnerability (ARRIS VAP2500)".
      - Description updated.
      - Vulnerability references updated.

    24327: HTTP: ARRIS VAP2500 list_mac_address macaddr Command Injection Vulnerability (ZDI-16-693)
      - IPS Version: 3.2.0 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Name changed from "24327: ZDI-CAN-3870: Zero Day Initiative Vulnerability (ARRIS VAP2500)".
      - Description updated.
      - Vulnerability references updated.

    * 29144: HTTP: HPE Intelligent Management Center redirectviewer Directory Traversal Vulnerability(ZDI-18-138)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "29144: ZDI-CAN-4905: Zero Day Initiative Vulnerability (HPE Intelligent Management Center)".
      - Description updated.
      - Vulnerability references updated.

    * 29743: HTTP: Adobe Flash determinePreferredLocales Out-of-Bound Read Vulnerability (ZDI-17-997)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "29743: ZDI-CAN-5075: Zero Day Initiative Vulnerability (Adobe Flash)".
      - Description updated.
      - Vulnerability references updated.

    29752: HTTP: WECON LeviStudio PLC Driver Buffer Overflow Vulnerability (ZDI-17-1001)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "29752: ZDI-CAN-5085: Zero Day Initiative Vulnerability (WECON LeviStudio)".
      - Description updated.
      - Vulnerability references updated.

    29859: HTTP: QNAP QTS authLogin Buffer Overflow Vulnerability (ZDI-17-1004)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "29859: ZDI-CAN-5262: Zero Day Initiative Vulnerability (QNAP QTS)".
      - Description updated.
      - Vulnerability references updated.

    29860: HTTP: QNAP QTS authLogin Buffer Overflow Vulnerability (ZDI-17-1005)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "29860: ZDI-CAN-5263: Zero Day Initiative Vulnerability (QNAP QTS)".
      - Description updated.
      - Vulnerability references updated.

    * 30236: HTTP: Microsoft Edge CSS Memory Corruption Vulnerability (ZDI-18-373)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "30236: ZDI-CAN-5313: Zero Day Initiative Vulnerability (Microsoft Edge)".
      - Description updated.
      - Vulnerability references updated.

    30737: TCP: SSL 3.0 Padding Oracle Information Disclosure Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Deployments updated and are now:
        - Deployment: Performance-Optimized (Block / Notify)

    32056: HTTP: Fuji Electric V-Server VPR File Parsing Out-of-Bounds Read Vulnerability (ZDI-18-1018)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "32056: ZDI-CAN-5884: Zero Day Initiative Vulnerability (Fuji Electric V-Server)".
      - Description updated.
      - Vulnerability references updated.

    32057: HTTP: Fuji Electric V-Server VPR File Parsing Use-After-Free Vulnerability (ZDI-18-1019)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "32057: ZDI-CAN-5885: Zero Day Initiative Vulnerability (Fuji Electric V-Server)".
      - Description updated.
      - Vulnerability references updated.

    32058: HTTP: Fuji Electric V-Server VPR File Parsing CArchive Memory Corruption Vulnerability (ZDI-18-1020)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "32058: ZDI-CAN-5886: Zero Day Initiative Vulnerability (Fuji Electric V-Server)".
      - Description updated.
      - Vulnerability references updated.

    32059: HTTP: Fuji Electric V-Server VPR File Parsing CArchive Memory Corruption Vulnerability (ZDI-18-1021)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "32059: ZDI-CAN-5887: Zero Day Initiative Vulnerability (Fuji Electric V-Server)".
      - Description updated.
      - Vulnerability references updated.

    32060: HTTP: Fuji Electric V-Server VPR File Parsing Memory Corruption Vulnerability (ZDI-18-1022)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "32060: ZDI-CAN-5888: Zero Day Initiative Vulnerability (Fuji Electric V-Server)".
      - Description updated.
      - Vulnerability references updated.

    32061: HTTP: Fuji Electric V-Server VPR File Parsing Buffer Overflow Vulnerability (ZDI-18-1012)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "32061: ZDI-CAN-5889: Zero Day Initiative Vulnerability (Fuji Electric V-Server)".
      - Description updated.
      - Vulnerability references updated.

    32789: HTTP: WordPress Snazzy Maps Plugin XSS Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Description updated.

  Removed Filters: None.
Top of the Page
Need More Help?

Digital Vaccine #9171
