Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Digital Vaccine #9372

    • Updated:
    • 18 Dec 2019
    • Product/Version:
    • Platform:
Summary
Digital Vaccine #9372      December 17, 2019
Details
Public
Thank you for subscribing to Digital Vaccine updates brought to you by Trend Micro™ TippingPoint DVLabs.

New content is now available at the Threat Management Center (TMC): https://tmc.tippingpoint.com.

SMS customers can update the Digital Vaccine through the SMS client. From the top line menu, you can open the "File > Download Digital Vaccine from TMC" menu item to detect and load the latest update.
 
System Requirements
The 3.2.0 DV will run on IPS devices with TOS v3.2.0 and above,  all NGFW and all TPS systems. The 4.0.0 DV will only run on the Virtual Threat Protection System (vTPS) appliance. Please note that vTPS does not currently support pre-disclosed ZDI filters.
 
The Digital Vaccine can be manually downloaded from the following URLs:
https://tmc.tippingpoint.com/TMC/ViewPackage?parentFolderId=digital_vaccines&contentId=SIG_3.2.0_9372.pkg
https://tmc.tippingpoint.com/TMC/ViewPackage?parentFolderId=vsa_dv&contentId=SIG_VTPS_4.0.0_9372.pkg

Update Details

Table of Contents
--------------------------

Filters
 New Filters - 12
 Modified Filters (logic changes) - 9
 Modified Filters (metadata changes only) - 7
 Removed Filters - 0

Filters
----------------
 New Filters:
    36754: TCP: Remote JMX Traffic 
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Moderate
      - Description: This filter detects the presence of remote Java Management Extensions (JMX) traffic.
      - Deployment: Not enabled by default in any deployment.
      - Classification: Vulnerability - Other
      - Protocol: TCP (Generic)
      - Platform: Multi-Platform Server Application or Service

    36785: HTTP: IBM Identity Governance and Intelligence SQL Injection Vulnerability 
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a SQL injection vulnerability in IBM Identity Governance and Intelligence.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2018-1756 CVSS 5.0
      - Classification: Vulnerability - Input Validation (Command injection, XSS, SQL injection, etc)
      - Protocol: HTTP
      - Platform: Multi-Platform Server Application or Service

    36786: HTTP: Ajenti auth username Command Injection Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a command injection vulnerability in Ajenti.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - Classification: Vulnerability - Input Validation (Command injection, XSS, SQL injection, etc)
      - Protocol: HTTP
      - Platform: Multi-Platform Server Application or Service

    36810: HTTP: Bludit CMS upload-images.php Arbitrary File Upload Vulnerability 
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a file upload vulnerability in Bludit CMS.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2019-16113 CVSS 6.5
      - Classification: Vulnerability - Input Validation (Command injection, XSS, SQL injection, etc)
      - Protocol: HTTP
      - Platform: Multi-Platform Server Application or Service

    36811: HTTP: Microsoft Windows Imaging API Use-After-Free Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a use-after-free vulnerability in Microsoft Windows.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2019-1311 CVSS 9.3
      - Classification: Vulnerability - Other
      - Protocol: HTTP
      - Platform: Windows Client Application

    36812: HTTP: rConfig devices.php SQL Injection Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit an SQL injection vulnerability in rConfig Network Management.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2019-19207 CVSS 6.5
      - Classification: Vulnerability - Input Validation (Command injection, XSS, SQL injection, etc)
      - Protocol: HTTP
      - Platform: UNIX/Linux Server Application or Service

    36814: HTTP: Squid Proxy Digest Nonce Possible Information Disclosure
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Moderate
      - Description: This filter detects a Squid Proxy response possibly leaking an internal pointer.
      - Deployment: Not enabled by default in any deployment.
      - References:
        - Common Vulnerabilities and Exposures: CVE-2019-18679
      - Classification: Security Policy - Other
      - Protocol: HTTP
      - Platform: Multi-Platform Server Application or Service

    36816: HTTP: Total.js CMS 12 Widget JavaScript Code Injection Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a command execution vulnerability in Total.js CMS.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2019-15954 CVSS 9.0
      - Classification: Vulnerability - Input Validation (Command injection, XSS, SQL injection, etc)
      - Protocol: HTTP
      - Platform: Multi-Platform Server Application or Service

    36819: HTTP: Citrix SD-WAN SQL Injection Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a SQL injection vulnerability in Citrix SD-WAN.
      - Deployment: Not enabled by default in any deployment.
      - References:
        - Common Vulnerabilities and Exposures: CVE-2019-12989
      - Classification: Vulnerability - Input Validation (Command injection, XSS, SQL injection, etc)
      - Protocol: HTTP
      - Platform: Other Server Application or Service

    36827: HTTP: Microsoft Windows JET Database Engine Memory Corruption Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: High
      - Description: This filter detects an attempt to exploit a memory corruption vulnerability in Microsoft Windows JET Database Engine.
      - Deployment: Not enabled by default in any deployment.
      - References:
        - Common Vulnerabilities and Exposures: CVE-2019-1406
      - Classification: Vulnerability - Other
      - Protocol: HTTP
      - Platform: Windows Server Application or Service

    36831: SLP: Suspicious Service Registration Request
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Moderate
      - Description: This filter detects a suspicious Service Registration request message via SLP (Service Location Protocol).
      - Deployment: Not enabled by default in any deployment.
      - References:
        - Common Vulnerabilities and Exposures: CVE-2019-5544
      - Classification: Security Policy - Other
      - Protocol: UDP (Generic)
      - Platform: Other Server Application or Service

    36835: HTTP: Microsoft Windows WebDAV Path Parsing Command Injection Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a command injection vulnerability in Microsoft Windows WebDAV.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - Classification: Vulnerability - Input Validation (Command injection, XSS, SQL injection, etc)
      - Protocol: HTTP
      - Platform: Windows Client Application

  Modified Filters (logic changes):
    * = Enabled in Default deployments

    34083: HTTP: Adobe Acrobat Pro DC JOBOPTIONS CalCMYKProfile Out-of-Bounds Write Vulnerability (ZDI-19-350)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Detection logic updated.
      - Vulnerability references updated.

    35055: RPC: Advantech WebAccess Node BwOpcBs Buffer Overflow Vulnerability (ZDI-19-1010)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "35055: ZDI-CAN-7883: Zero Day Initiative Vulnerability (Advantech WebAccess Node)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    35130: HTTP: Advantech WISE-PaaS RMM upload2eMap LastMapName File Upload Vulnerability (ZDI-19-935)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "35130: ZDI-CAN-8892: Zero Day Initiative Vulnerability (Advantech WISE-PaaS/RMM)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    35308: HTTP: Red Lion Crimson CD3 ItemIndexList Type Confusion Vulnerability (ZDI-19-791)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "35308: ZDI-CAN-8245: Zero Day Initiative Vulnerability (Red Lion Crimson)".
      - Category changed from "Exploits" to "Vulnerabilities".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    35582: HTTP: WECON PLC Editor WCP File Parsing Buffer Overflow Vulnerability (ZDI-19-1015)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "35582: ZDI-CAN-8456: Zero Day Initiative Vulnerability (WECON PLC Editor)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    * 36095: HTTP: Pulse Secure Connect/Policy Secure options Command Injection Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Description updated.
      - Detection logic updated.

    36491: HTTP: Trend Micro Apex One Directory Traversal Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Detection logic updated.
      - Vulnerability references updated.

    36631: TCP: Oracle GoldenGate Manager Buffer Overflow Vulnerability
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Detection logic updated.

    36634: SNMP: Net-SNMP PDU Heap Overflow Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Detection logic updated.

  Modified Filters (metadata changes only):
    * = Enabled in Default deployments

    36061: HTTP: Microsoft Windows Media Player Information Disclosure Vulnerability (ZDI-19-1002)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "36061: HTTP: Microsoft Windows Media Player Color Transform Information Disclosure Vulnerability".
      - Description updated.
      - Vulnerability references updated.

    36067: HTTP: Microsoft Windows Media Player Information Disclosure Vulnerability (ZDI-19-1003)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "36067: HTTP: Microsoft Windows Media Player Color Conversion Information Disclosure Vulnerability".
      - Description updated.
      - Vulnerability references updated.

    * 36334: HTTP: Microsoft Windows EMF Information Disclosure Vulnerability (ZDI-19-1008)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "36334: HTTP: Microsoft Windows EMF Information Disclosure Vulnerability".
      - Description updated.
      - Vulnerability references updated.

    * 36483: HTTP: Microsoft Windows EMF Parsing Information Disclosure Vulnerability (ZDI-19-1007)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "36483: HTTP: Microsoft Windows EMF Parsing Information Disclosure Vulnerability".
      - Description updated.
      - Vulnerability references updated.

    36487: HTTP: Microsoft PowerPoint PPT File Use-After-Free Vulnerability (ZDI-19-1006)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "36487: HTTP: Microsoft PowerPoint PPT File Use-After-Free Vulnerability".
      - Description updated.
      - Vulnerability references updated.

    * 36677: HTTP: Microsoft Windows Font Subsetting Out-Of-Bounds Write Vulnerability (ZDI-19-1004)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "36677: HTTP: Microsoft Windows Font Subsetting Out-Of-Bounds Write Vulnerability".
      - Description updated.
      - Vulnerability references updated.

    * 36759: HTTP: CMS Made Simple DesignManager Object Injection Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Description updated.

  Removed Filters:
  

Top of the Page
Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Deploy
Solution Id:
TP000195086
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.