Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Digital Vaccine #9171

    • Updated:
    • 25 Sep 2018
    • Product/Version:
    • TippingPoint Digital Vaccine
    • Platform:
Summary
Digital Vaccine #9171      September 25, 2018
Details
Public
Thank you for subscribing to Digital Vaccine updates brought to you by Trend Micro™ TippingPoint DVLabs.

New content is now available at the Threat Management Center (TMC): https://tmc.tippingpoint.com

SMS customers can update the Digital Vaccine through the SMS client. From the top line menu, you can open the "File > Download Digital Vaccine from TMC" menu item to detect and load the latest update.
 
System Requirements
The 3.2.0 DV will run on IPS devices with TOS v3.2.0 and above,  all NGFW and all TPS systems. The 4.0.0 DV will only run on the Virtual Threat Protection System (vTPS) appliance.
Please note that vTPS does not currently support pre-disclosed ZDI filters.
 
The Digital Vaccine can be manually downloaded from the following URLs:
https://tmc.tippingpoint.com/TMC/ViewPackage?parentFolderId=digital_vaccines&contentId=SIG_3.2.0_9171.pkg
https://tmc.tippingpoint.com/TMC/ViewPackage?parentFolderId=vsa_dv&contentId=SIG_VTPS_4.0.0_9171.pkg

Update Details

Table of Contents
--------------------------

Filters
 New Filters
 Modified Filters (logic changes)
 Modified Filters (metadata changes only)
 Removed Filters

Filters
----------------
 New Filters:
    32896: HTTP: Apache httpd mod_md Null Pointer Dereference Denial-of-Service Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: High
      - Description: This filter detects an attempt to exploit a denial-of-service vulnerability in Apache httpd.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2018-8011 CVSS 6.1

    33056: DNS: Samba AD DC Null Pointer Dereference Denial-of-Service Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: High
      - Description: This filter detects an attempt to exploit a denial-of-service vulnerability in Samba AD DC.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2018-1140

    33061: HTTP: ABB Panel Builder 800 Comli CommandLineOptions Stack-based Buffer Overflow (ZDI-18-883)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a buffer overflow in ABB Panel Build 800 Comli.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2018-10616
        - Zero Day Initiative: ZDI-18-883

    33063: SMTP: RAR Attachment Containing .iqy File
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Low
      - Description: This filter detects an attempt to transfer a .rar file containing an Internet Query File format used by Microsoft Excel (.iqy) file over SMTP.
      - Deployment: Not enabled by default in any deployment.

    33064: HTTP: Zoho ManageEngine OpManager FailOverHelperServlet Cross-Site Scripting Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: High
      - Description: This filter detects an attempt to exploit a cross-site scripting vulnerability in Zoho ManageEngine OpManager.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2018-12998 CVSS 6.8

    33065: HTTP: Microsoft Windows StructuredQuery Uninitialized Pointer Memory Corruption Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a memory corruption vulnerability in Microsoft Windows.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2018-8345

    33077: HTTP: Microsoft Windows Image ICC Profile Code Execution
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a code execution vulnerability in Microsoft Windows.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2018-8475

    33078: HTTP: GNU Libextractor ZIP File Comment Out-of-Bounds Read Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: High
      - Description: This filter detects an attempt to exploit an out-of-bounds read vulnerability in Libextractor.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2018-16430

    33079: ZDI-CAN-7146: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Adobe Acrobat Pro DC.
      - Deployments:
        - Deployment: Default (Block / Notify / Trace)
        - Deployment: Performance-Optimized (Disabled)

    33080: ZDI-CAN-7147: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Adobe Acrobat Pro DC.
      - Deployments:
        - Deployment: Default (Block / Notify / Trace)
        - Deployment: Performance-Optimized (Disabled)

    33083: ZDI-CAN-6576: Zero Day Initiative Vulnerability (LAquis SCADA)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting LAquis SCADA.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)

    33086: HTTP: Microsoft Exchange Server Voicemail Transcription Handler Override (ZDI-18-944)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Moderate
      - Description: This filter detects traffic that overrides the default voice transcription handler in Microsoft Exchange.
      - Deployment: Not enabled by default in any deployment.
      - References:
        - Common Vulnerabilities and Exposures: CVE-2018-8302
        - Zero Day Initiative: ZDI-18-944

    33087: HTTP: Apple macOS M4A Parsing Buffer Overflow Vulnerability (ZDI-17-189)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a buffer overflow vulnerability in the Apple macOS.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2017-2462
        - Zero Day Initiative: ZDI-17-189

    33088: TCP: HPE Intelligent Management Center imcwlandm UserName Buffer Overflow Vulnerability(ZDI-18-1000)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a buffer overflow vulnerability in Hewlett Packard Enterprise Intelligent Management Center.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Zero Day Initiative: ZDI-18-1000

    33089: HTTP: Apple macOS M4A Parsing Type Confusion Vulnerability (ZDI-17-190)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a type confusion vulnerability in the Apple macOS.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2017-2430
        - Zero Day Initiative: ZDI-17-190

    33090: HTTP: Apple Safari RenderFlowThread Out-of-Bounds Read Vulnerability (ZDI-17-822)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit an out-of-bounds read vulnerability in the Apple Safari.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2017-7091
        - Zero Day Initiative: ZDI-17-822

    33091: HTTP: PHP Apache2 Chunked Transfer-Encoding With Java Script Payload Detection
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Moderate
      - Description: This filter detects an attempt to post a JavaScript payload to the Apache2 component in PHP when the Transfer-Encoding is set to chunked.
      - Deployment: Not enabled by default in any deployment.
      - References:
        - Common Vulnerabilities and Exposures: CVE-2018-17082

  Modified Filters (logic changes):
    * = Enabled in Default deployments

    * 8803: HTTP: Adobe Flash Player for Linux Command Execution
      - IPS Version: 1.0.0 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Detection logic updated.
      - Vulnerability references updated.

    * 29742: HTTP: Adobe Flash addCustomHeader Out-Of-Bounds Read Vulnerability (ZDI-17-996)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "29742: ZDI-CAN-5074: Zero Day Initiative Vulnerability (Adobe Flash)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    * 30238: HTTP: Microsoft Windows Font EOT Information Disclosure Vulnerability (ZDI-17-1014)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "30238: ZDI-CAN-5315: Zero Day Initiative Vulnerability (Microsoft Windows)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    * 30240: HTTP: Microsoft Windows Font EOT Information Disclosure Vulnerability (ZDI-17-1010)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "30240: ZDI-CAN-5317: Zero Day Initiative Vulnerability (Microsoft Windows)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    * 30243: HTTP: Microsoft Office Excel XLS Use-After-Free Vulnerability (ZDI-17-929)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "30243: ZDI-CAN-5320: Zero Day Initiative Vulnerability (Microsoft Office)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    * 30273: HTTP: Microsoft Chakra Typed Array Use-After-Free Vulnerability (ZDI-17-1016,ZDI-18-580)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "30273: HTTP: Microsoft Chakra Typed Array Use-After-Free Vulnerability (ZDI-18-580)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

  Modified Filters (metadata changes only):
    * = Enabled in Default deployments

    20815: HTTP: Microsoft Windows VBScript Filter Function Use-After-Free Vulnerability(ZDI-15-592,ZDI-18-123)
      - IPS Version: 1.0.0 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Vulnerability references updated.

    24325: HTTP: ARRIS VAP2500 txt_mac Command Injection Vulnerability (ZDI-16-691)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "24325: ZDI-CAN-3868: Zero Day Initiative Vulnerability (ARRIS VAP2500)".
      - Description updated.
      - Vulnerability references updated.

    24326: HTTP: ARRIS VAP2500 tools_command Command Injection Vulnerability (ZDI-16-692)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "24326: ZDI-CAN-3869: Zero Day Initiative Vulnerability (ARRIS VAP2500)".
      - Description updated.
      - Vulnerability references updated.

    24327: HTTP: ARRIS VAP2500 list_mac_address macaddr Command Injection Vulnerability (ZDI-16-693)
      - IPS Version: 3.2.0 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Name changed from "24327: ZDI-CAN-3870: Zero Day Initiative Vulnerability (ARRIS VAP2500)".
      - Description updated.
      - Vulnerability references updated.

    * 29144: HTTP: HPE Intelligent Management Center redirectviewer Directory Traversal Vulnerability(ZDI-18-138)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "29144: ZDI-CAN-4905: Zero Day Initiative Vulnerability (HPE Intelligent Management Center)".
      - Description updated.
      - Vulnerability references updated.

    * 29743: HTTP: Adobe Flash determinePreferredLocales Out-of-Bound Read Vulnerability (ZDI-17-997)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "29743: ZDI-CAN-5075: Zero Day Initiative Vulnerability (Adobe Flash)".
      - Description updated.
      - Vulnerability references updated.

    29752: HTTP: WECON LeviStudio PLC Driver Buffer Overflow Vulnerability (ZDI-17-1001)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "29752: ZDI-CAN-5085: Zero Day Initiative Vulnerability (WECON LeviStudio)".
      - Description updated.
      - Vulnerability references updated.

    29859: HTTP: QNAP QTS authLogin Buffer Overflow Vulnerability (ZDI-17-1004)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "29859: ZDI-CAN-5262: Zero Day Initiative Vulnerability (QNAP QTS)".
      - Description updated.
      - Vulnerability references updated.

    29860: HTTP: QNAP QTS authLogin Buffer Overflow Vulnerability (ZDI-17-1005)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "29860: ZDI-CAN-5263: Zero Day Initiative Vulnerability (QNAP QTS)".
      - Description updated.
      - Vulnerability references updated.

    * 30236: HTTP: Microsoft Edge CSS Memory Corruption Vulnerability (ZDI-18-373)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "30236: ZDI-CAN-5313: Zero Day Initiative Vulnerability (Microsoft Edge)".
      - Description updated.
      - Vulnerability references updated.

    30737: TCP: SSL 3.0 Padding Oracle Information Disclosure Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Deployments updated and are now:
        - Deployment: Performance-Optimized (Block / Notify)

    32056: HTTP: Fuji Electric V-Server VPR File Parsing Out-of-Bounds Read Vulnerability (ZDI-18-1018)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "32056: ZDI-CAN-5884: Zero Day Initiative Vulnerability (Fuji Electric V-Server)".
      - Description updated.
      - Vulnerability references updated.

    32057: HTTP: Fuji Electric V-Server VPR File Parsing Use-After-Free Vulnerability (ZDI-18-1019)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "32057: ZDI-CAN-5885: Zero Day Initiative Vulnerability (Fuji Electric V-Server)".
      - Description updated.
      - Vulnerability references updated.

    32058: HTTP: Fuji Electric V-Server VPR File Parsing CArchive Memory Corruption Vulnerability (ZDI-18-1020)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "32058: ZDI-CAN-5886: Zero Day Initiative Vulnerability (Fuji Electric V-Server)".
      - Description updated.
      - Vulnerability references updated.

    32059: HTTP: Fuji Electric V-Server VPR File Parsing CArchive Memory Corruption Vulnerability (ZDI-18-1021)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "32059: ZDI-CAN-5887: Zero Day Initiative Vulnerability (Fuji Electric V-Server)".
      - Description updated.
      - Vulnerability references updated.

    32060: HTTP: Fuji Electric V-Server VPR File Parsing Memory Corruption Vulnerability (ZDI-18-1022)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "32060: ZDI-CAN-5888: Zero Day Initiative Vulnerability (Fuji Electric V-Server)".
      - Description updated.
      - Vulnerability references updated.

    32061: HTTP: Fuji Electric V-Server VPR File Parsing Buffer Overflow Vulnerability (ZDI-18-1012)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "32061: ZDI-CAN-5889: Zero Day Initiative Vulnerability (Fuji Electric V-Server)".
      - Description updated.
      - Vulnerability references updated.

    32789: HTTP: WordPress Snazzy Maps Plugin XSS Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Description updated.

  Removed Filters: None.

Top of the Page
Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Deploy
Solution Id:
TP000120843
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.