Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Digital Vaccine #9173

    • Updated:
    • 2 Oct 2018
    • Product/Version:
    • TippingPoint Digital Vaccine
    • Platform:
Summary
Digital Vaccine #9173      October 2, 2018
Details
Public
Thank you for subscribing to Digital Vaccine updates brought to you by Trend Micro™ TippingPoint DVLabs.

New content is now available at the Threat Management Center (TMC): https://tmc.tippingpoint.com

SMS customers can update the Digital Vaccine through the SMS client. From the top line menu, you can open the "File > Download Digital Vaccine from TMC" menu item to detect and load the latest update.
 
System Requirements
The 3.2.0 DV will run on IPS devices with TOS v3.2.0 and above,  all NGFW and all TPS systems. The 4.0.0 DV will only run on the Virtual Threat Protection System (vTPS) appliance.
Please note that vTPS does not currently support pre-disclosed ZDI filters.
 
The Digital Vaccine can be manually downloaded from the following URLs:
https://tmc.tippingpoint.com/TMC/ViewPackage?parentFolderId=digital_vaccines&contentId=SIG_3.2.0_9173.pkg
https://tmc.tippingpoint.com/TMC/ViewPackage?parentFolderId=vsa_dv&contentId=SIG_VTPS_4.0.0_9173.pkg

Update Details

Table of Contents
--------------------------

Filters
 New Filters
 Modified Filters (logic changes)
 Modified Filters (metadata changes only)
 Removed Filters

Filters
----------------
 New Filters:
    32895: HTTP: Unrestricted PHP File Upload
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: High
      - Description: This filter detects an attempt to upload PHP code by using multipart/form-data.
      - Deployment: Not enabled by default in any deployment.
      - References:
        - Common Vulnerabilities and Exposures: CVE-2017-17560 CVSS 10.0, CVE-2017-18048, CVE-2017-6090 CVSS 6.5

    33095: ZDI-CAN-6579, ZDI-CAN-6627: Zero Day Initiative Vulnerability (LAquis SCADA)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting LAquis SCADA.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)

    33096: ZDI-CAN-6574, ZDI-CAN-6629: Zero Day Initiative Vulnerability (LAquis SCADA)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting LAquis SCADA.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)

    33108: ZDI-CAN-6628: Zero Day Initiative Vulnerability (LAquis SCADA)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting LAquis SCADA.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)

    33110: HTTP: Oracle Outside-In Excel PropertySetStream Out-of-Bounds Write Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit an out-of-bounds write vulnerability in Oracle Outside-In.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Bugtraq ID: 104762
        - Common Vulnerabilities and Exposures: CVE-2018-3010

    33112: HTTP: Telerik UI for ASP.NET AJAX Directory Traversal Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a directory traversal vulnerability in Telerik UI for ASP.NET AJAX.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Bugtraq ID: 78021
        - Common Vulnerabilities and Exposures: CVE-2014-2217 CVSS 7.5

    33136: HTTP: Tinfoil Security Scanning Request
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Reconnaissance
      - Severity: Moderate
      - Description: This filter detects the scanning request of Tinfoil Security.
      - Deployment: Not enabled by default in any deployment.

  Modified Filters (logic changes):
    * = Enabled in Default deployments

    * 8803: HTTP: Adobe Flash Player for Linux Command Execution
      - IPS Version: 1.0.0 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Detection logic updated.

    29836: HTTP: QNAP QTS Web devRequest Buffer Overflow Vulnerability (ZDI-17-1003)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "29836: ZDI-CAN-5209: Zero Day Initiative Vulnerability (QNAP QTS)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    * 30030: HTTP: Adobe Acrobat Reader Font processing Out-of-Bounds Memory Access Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    * 30208: HTTP: Microsoft Windows Kernel GreGetBitmapSize Information Disclosure Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Description updated.
      - Detection logic updated.

    30399: HTTP: OMRON CX-One CX-FLnet cdmapi32 Buffer Overflow Vulnerability (ZDI-18-284)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category changed from "Exploits" to "Vulnerabilities".
      - Detection logic updated.
      - Vulnerability references updated.

    30409: HTTP: OMRON CX-One SBA File Buffer Overflow Vulnerability (ZDI-18-287)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "30409: ZDI-CAN-5440: Zero Day Initiative Vulnerability (OMRON CX-One)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    * 31489: HTTP: Microsoft Edge Scripting Engine Magic Value Memory Corruption Vulnerability (ZDI-18-948)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Detection logic updated.

    31630: HTTP: Telerik UI RadAsyncUpload Request
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    31776: HTTP: Advantech WebAccess Node BWSCADASoap GraphList(ByPage) SQL Injection (ZDI-18-478, ZDI-18-482)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "31776: ZDI-CAN-5608,5612: Zero Day Initiative Vulnerability (Advantech WebAccess Node)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    31778: HTTP: Advantech WebAccess Node BWSCADASoap PointList(ByNode) SQL Injection (ZDI-18-480,ZDI-18-485)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "31778: ZDI-CAN-5610,5649: Zero Day Initiative Vulnerability (Advantech WebAccess Node)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    31842: HTTP: Advantech WebAccess Node BWSCADASoap GraphListByNode SQL Injection Vulnerability (ZDI-18-486)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "31842: ZDI-CAN-5650: Zero Day Initiative Vulnerability (Advantech WebAccess Node)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    * 31843: HTTP: Advantech WebAccess Node Quality_Reg ItemIdAry SQL Injection Vulnerability (ZDI-18-487)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "31843: ZDI-CAN-5651: Zero Day Initiative Vulnerability (Advantech WebAccess Node)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    * 31844: HTTP: Advantech WebAccess Node Quality ItemIdAry SQL Injection Vulnerability (ZDI-18-488)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "31844: ZDI-CAN-5652: Zero Day Initiative Vulnerability (Advantech WebAccess Node)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    * 31846: HTTP: Advantech WebAccess Node Quality ItemGroupIdAry SQL Injection Vulnerability (ZDI-18-489)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "31846: ZDI-CAN-5653: Zero Day Initiative Vulnerability (Advantech WebAccess Node)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    * 31885: HTTP: Trend Micro Smart Protection Server BWListMgmt SQL Injection Vulnerability (ZDI-18-421)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "31885: ZDI-CAN-5807: Zero Day Initiative Vulnerability (Trend Micro Smart Protection Server)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    32566: HTTP: Adobe Acrobat Pro XPS Font Parsing Out-of-Bounds Read Vulnerability (ZDI-18-630)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "32566: HTTP: Adobe Acrobat Pro TTF Font GPOS Information Disclosure Vulnerability".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    32802: HTTP: Foxit Reader Annotations name Use-After-Free Vulnerability (ZDI-18-774)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "32802: ZDI-CAN-6327: Zero Day Initiative Vulnerability (Foxit Reader)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

  Modified Filters (metadata changes only):
    * = Enabled in Default deployments

    * 29770: HTTP: HPE Intelligent Management Information Disclosure Vulnerability (ZDI-18-136)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "29770: ZDI-CAN-5093: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)".
      - Description updated.
      - Vulnerability references updated.

    * 29848: HTTP: Microsoft Chakra Typed Array JIT Optimization Use-After-Free Vulnerability (ZDI-18-301)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Description updated.
      - Vulnerability references updated.

    29871: HTTP: Delta Industrial Automation DOPSoft DPA File Buffer Overflow Vulnerability (ZDI-18-422)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "29871: ZDI-CAN-5273: Zero Day Initiative Vulnerability (Delta Industrial Automation DOPSoft)".
      - Description updated.
      - Vulnerability references updated.

    29875: HTTP: QNAP QTS Web change_password Buffer Overflow Vulnerability (ZDI-17-1006,1008)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "29875: ZDI-CAN-5278,5280: Zero Day Initiative Vulnerability (QNAP QTS)".
      - Description updated.
      - Vulnerability references updated.

    29876: HTTP: QNAP QTS Web sysinfoReq Buffer Overflow Vulnerability (ZDI-17-1007)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "29876: ZDI-CAN-5279: Zero Day Initiative Vulnerability (QNAP QTS)".
      - Description updated.
      - Vulnerability references updated.

    29940: HTTP: Adobe Acrobat Pro DC ImageConversion TIFF Buffer Overflow Vulnerability (ZDI-18-207,17-1011)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "29940: ZDI-CAN-5146: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)".
      - Description updated.
      - Vulnerability references updated.

    29942: HTTP: Adobe Acrobat Pro DC Out-Of-Bounds Read Information Disclosure Vulnerability (ZDI-18-207)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "29942: ZDI-CAN-5148: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)".
      - Description updated.
      - Vulnerability references updated.

    29982: HTTP: OMRON CX-Supervisor SCS Scatter Chart Object Memory Corruption Vulnerability (ZDI-18-254)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Description updated.
      - Vulnerability references updated.

    * 30372: HTTP: Adobe Acrobat Pro DC HTML2PDF HTML Parsing Memory Corruption Vulnerability (ZDI-18-445)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "30372: ZDI-CAN-5241: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)".
      - Description updated.
      - Vulnerability references updated.

    * 30373: HTTP: Adobe Acrobat Pro DC HTML2PDF HTML Parsing Out-Of-Bounds Read Vulnerability (ZDI-18-444)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "30373: ZDI-CAN-5291: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)".
      - Description updated.
      - Vulnerability references updated.

    30390: HTTP: Ecava IntegraXor Report getdata name SQL Injection Vulnerability (ZDI-17-1000)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "30390: ZDI-CAN-5386: Zero Day Initiative Vulnerability (Ecava IntegraXor)".
      - Description updated.
      - Vulnerability references updated.

    30391: HTTP: Delta Industrial Automation TPEditor TPE File Buffer Overflow Vulnerability (ZDI-18-468)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "30391: ZDI-CAN-5389: Zero Day Initiative Vulnerability (Delta Industrial Automation TPEditor)".
      - Description updated.
      - Vulnerability references updated.

    31847: RPC: Advantech WebAccess Node webvrpcs ViewDll1 Buffer Overflow Vulnerability (ZDI-18-490)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "31847: ZDI-CAN-5654: Zero Day Initiative Vulnerability (Advantech WebAccess Node)".
      - Description updated.
      - Vulnerability references updated.

    32047: HTTP: Fuji Electric V-Server VPR File Parsing CObArray Use-After-Free Vulnerability (ZDI-18-1010)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "32047: ZDI-CAN-5877: Zero Day Initiative Vulnerability (Fuji Electric V-Server)".
      - Description updated.
      - Vulnerability references updated.

    32330: HTTP: WECON LeviStudioU IndirectAddrR Buffer Overflow Vulnerability (ZDI-18-992)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "32330: ZDI-CAN-6062: Zero Day Initiative Vulnerability (WECON LeviStudioU)".
      - Description updated.
      - Vulnerability references updated.

    32333: HTTP: WECON LeviStudioU G_bmp szFilename Buffer Overflow Vulnerability (ZDI-18-993,995)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "32333: ZDI-CAN-6063,6065: Zero Day Initiative Vulnerability (WECON LeviStudioU)".
      - Description updated.
      - Vulnerability references updated.

    32335: HTTP: WECON LeviStudioU MulStatus szFilename Buffer Overflow Vulnerability (ZDI-18-994)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "32335: ZDI-CAN-6064: Zero Day Initiative Vulnerability (WECON LeviStudioU)".
      - Description updated.
      - Vulnerability references updated.

    32722: HTTP: Adobe Acrobat Pro DC XFA Template Type Confusion Vulnerability (ZDI-18-682)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Miscellaneous modification.

    32812: HTTP: ABB Panel Builder BEYaskawaSMC IPAddress Heap-based Buffer Overflow Vulnerability (ZDI-18-908)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "32812: ZDI-CAN-6420: Zero Day Initiative Vulnerability (ABB Panel Builder 800)".
      - Description updated.
      - Vulnerability references updated.

    32948: HTTP: ABB Panel Builder BeomronFins FINSIPAddress Buffer Overflow Vulnerability (ZDI-18-891)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Vulnerability references updated.

    32949: HTTP: ABB Panel Builder bebhoffadseth AmsNetId Buffer Overflow Vulnerability (ZDI-18-890)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Vulnerability references updated.

  Removed Filters:

    32659: HTTP: Adobe Acrobat Reader XFA Type Confusion Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
Top of the Page
Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Deploy
Solution Id:
TP000121419
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.