Summary
Digital Vaccine #9435 July 21, 2020
Details
Thank you for subscribing to Digital Vaccine updates brought to you by Trend Micro™ TippingPoint DVLabs. New content is now available at the Threat Management Center (TMC): https://tmc.tippingpoint.com. SMS customers can update the Digital Vaccine through the SMS client. From the top-line menu, you can open the "File > Download Digital Vaccine from TMC" menu item to detect and load the latest update. * Customers with TP10 devices should perform a soft reboot of their IPS before installing the new DV to avoid a memory issue during the install. * Geographic Filters: The Geo Locator Database package (which incorporates the MaxMind GeoLite2 databases) is now automatically updated once a week. Previously, it had been updated at the beginning of the month. |
System Requirements |
The 3.2.0 DV will run on IPS devices with TOS v3.2.0 and above, all NGFW and all TPS systems. The 4.0.0 DV will only run on the Virtual Threat Protection System (vTPS) appliance. Please note that vTPS does not currently support pre-disclosed ZDI filters. |
The Digital Vaccine can be manually downloaded from the following URLs: https://tmc.tippingpoint.com/TMC/ViewPackage?parentFolderId=digital_vaccines&contentId=SIG_3.2.0_9435.pkg https://tmc.tippingpoint.com/TMC/ViewPackage?parentFolderId=vsa_dv&contentId=SIG_VTPS_4.0.0_9435.pkg |
Update Details
Table of Contents
--------------------------
Filters
New Filters - 18
Modified Filters (logic changes) - 10
Modified Filters (metadata changes only) - 1
Removed Filters - 0
Filters
----------------
New Filters:
37818: HTTP: VMWare vCloud Director Code Injection Vulnerability - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Category: Vulnerabilities - Severity: Critical - Description: This filter detects an attempt to exploit a code injection vulnerability in VMWare Cloud Director. - Deployment: Not enabled by default in any deployment. - References: - Common Vulnerabilities and Exposures: CVE-2020-3956 - Classification: Vulnerability - Other - Protocol: HTTP - Platform: Multi-Platform Server Application or Service 37859: ZDI-CAN-10835: Zero Day Initiative Vulnerability (D-Link Multiple Routers) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: Not available. - Requires: N/NX-Platform, NGFW, or TPS devices - Category: Vulnerabilities - Severity: Critical - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting multiple D-Link Routers. - Deployments: - Deployment: Security-Optimized (Block / Notify / Trace) - Classification: Vulnerability - Other - Protocol: Other Protocol - Platform: Other Server Application or Service 37860: ZDI-CAN-10880: Zero Day Initiative Vulnerability (D-Link DAP-1860) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: Not available. - Requires: N/NX-Platform, NGFW, or TPS devices - Category: Vulnerabilities - Severity: Critical - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting D-Link DAP-1860. - Deployments: - Deployment: Security-Optimized (Block / Notify / Trace) - Classification: Vulnerability - Other - Protocol: Other Protocol - Platform: Other Server Application or Service 37861: ZDI-CAN-10894: Zero Day Initiative Vulnerability (D-Link DAP-1860) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: Not available. - Requires: N/NX-Platform, NGFW, or TPS devices - Category: Vulnerabilities - Severity: Critical - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting D-Link DAP-1860. - Deployments: - Deployment: Security-Optimized (Block / Notify / Trace) - Classification: Vulnerability - Other - Protocol: Other Protocol - Platform: Other Server Application or Service 37862: ZDI-CAN-11076: Zero Day Initiative Vulnerability (Netgear Orbi) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: Not available. - Requires: N/NX-Platform, NGFW, or TPS devices - Category: Vulnerabilities - Severity: Critical - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Netgear Orbi. - Deployment: Not enabled by default in any deployment. - Classification: Vulnerability - Other - Protocol: Other Protocol - Platform: Other Server Application or Service 37863: ZDI-CAN-11076: Zero Day Initiative Vulnerability (Netgear Orbi) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: Not available. - Requires: N/NX-Platform, NGFW, or TPS devices - Category: Vulnerabilities - Severity: Critical - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Netgear Orbi. - Deployments: - Deployment: Security-Optimized (Block / Notify / Trace) - Classification: Vulnerability - Other - Protocol: Other Protocol - Platform: Other Server Application or Service 37864: ZDI-CAN-11189: Zero Day Initiative Vulnerability (Apple macOS) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: Not available. - Requires: N/NX-Platform, NGFW, or TPS devices - Category: Exploits - Severity: Critical - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Apple macOS. - Deployments: - Deployment: Security-Optimized (Block / Notify / Trace) - Classification: Vulnerability - Other - Protocol: Other Protocol - Platform: Other Server Application or Service 37865: ZDI-CAN-11267: Zero Day Initiative Vulnerability (Microsoft SharePoint) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: Not available. - Requires: N/NX-Platform, NGFW, or TPS devices - Category: Vulnerabilities - Severity: Critical - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Microsoft SharePoint. - Deployments: - Deployment: Security-Optimized (Block / Notify / Trace) - Classification: Vulnerability - Other - Protocol: Other Protocol - Platform: Other Server Application or Service 37866: ZDI-CAN-11276: Zero Day Initiative Vulnerability (Microsoft Excel) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: Not available. - Requires: N/NX-Platform, NGFW, or TPS devices - Category: Exploits - Severity: Critical - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Microsoft Excel. - Deployments: - Deployment: Security-Optimized (Block / Notify / Trace) - Classification: Vulnerability - Other - Protocol: Other Protocol - Platform: Other Server Application or Service 37867: ZDI-CAN-11305: Zero Day Initiative Vulnerability (Oracle WebLogic Server) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: Not available. - Requires: IPS N-Platform, NX-Platform, NGFW, or TPS models. - Category: Vulnerabilities - Severity: Critical - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Oracle WebLogic Server. - Deployments: - Deployment: Security-Optimized (Block / Notify / Trace) - Classification: Vulnerability - Other - Protocol: Other Protocol - Platform: Other Server Application or Service 37868: ZDI-CAN-11368: Zero Day Initiative Vulnerability (Trend Micro Deep Security Manager) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: Not available. - Requires: N/NX-Platform, NGFW, or TPS devices - Category: Exploits - Severity: Critical - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Trend Micro Deep Security Manager. - Deployments: - Deployment: Security-Optimized (Block / Notify / Trace) - Classification: Vulnerability - Other - Protocol: Other Protocol - Platform: Other Server Application or Service 37869: ZDI-CAN-11373: Zero Day Initiative Vulnerability (Advantech R-SeeNet) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: Not available. - Requires: N/NX-Platform, NGFW, or TPS devices - Category: Vulnerabilities - Severity: Critical - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Advantech R-SeeNet. - Deployments: - Deployment: Security-Optimized (Block / Notify / Trace) - Classification: Vulnerability - Other - Protocol: Other Protocol - Platform: Other Server Application or Service 37871: HTTP: rConfig compliancepolicyelements.inc.php SQL Injection Vulnerability - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Category: Vulnerabilities - Severity: Critical - Description: This filter detects an attempt to exploit a SQL injection vulnerability in rConfig Network Device Configuration Tool. - Deployments: - Deployment: Default (Block / Notify) - Deployment: Performance-Optimized (Disabled) - References: - Common Vulnerabilities and Exposures: CVE-2020-10547 - Classification: Vulnerability - Input Validation (Command injection, XSS, SQL injection, etc) - Protocol: HTTP - Platform: UNIX/Linux Server Application or Service 37878: HTTP: Bolt CMS Code Execution Vulnerability - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Category: Vulnerabilities - Severity: Critical - Description: This filter detects an attempt to exploit a code execution vulnerability in Bolt CMS. - Deployments: - Deployment: Security-Optimized (Block / Notify) - Classification: Vulnerability - Input Validation (Command injection, XSS, SQL injection, etc) - Protocol: HTTP - Platform: Multi-Platform Server Application or Service 37879: HTTP: Citrix Netscaler / ADC Authentication Bypass Vulnerability - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Category: Vulnerabilities - Severity: High - Description: This filter detects an attempt to exploit an authentication bypass vulnerability in Citrix NetScaler and Application Delivery Controller. - Deployments: - Deployment: Default (Block / Notify) - Deployment: Performance-Optimized (Disabled) - References: - Common Vulnerabilities and Exposures: CVE-2020-8193 - Classification: Vulnerability - Other - Protocol: HTTP - Platform: Multi-Platform Server Application or Service 37880: HTTP: Citrix Netscaler / ADC Information Disclosure Vulnerability - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Category: Exploits - Severity: High - Description: This filter detects an attempt to exploit an information disclosure vulnerability in Citrix NetScaler and Application Delivery Controller. - Deployments: - Deployment: Security-Optimized (Block / Notify) - References: - Common Vulnerabilities and Exposures: CVE-2020-8195 - Classification: Vulnerability - Input Validation (Command injection, XSS, SQL injection, etc) - Protocol: HTTP - Platform: Multi-Platform Server Application or Service 37881: HTTP: SAP NetWeaver AS JAVA Directory Traversal Vulnerability - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Category: Vulnerabilities - Severity: High - Description: This filter detects an attempt to exploit a directory traversal vulnerability in SAP NetWeaver. - Deployments: - Deployment: Security-Optimized (Block / Notify) - References: - Common Vulnerabilities and Exposures: CVE-2020-6286 - Classification: Vulnerability - Other - Protocol: HTTP - Platform: Windows Server Application or Service 37882: HTTP: SAP NetWeaver AS JAVA Vulnerable Endpoint Access - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Category: Security Policy - Severity: Low - Description: This filter detects an attempt to access endpoints in SAP NetWeaver that are not properly protected by authentication. - Deployment: Not enabled by default in any deployment. - References: - Common Vulnerabilities and Exposures: CVE-2020-6287 - Classification: Security Policy - Other - Protocol: HTTP - Platform: Windows Server Application or Service Modified Filters (logic changes): * = Enabled in Default deployments 33665: HTTP: HPE Intelligent Management Center Remote Code Execution Vulnerability (ZDI-19-268,ZDI-20-149) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Name changed from "33665: HTTP: HPE Intelligent Management Center Remote Code Execution Vulnerability (ZDI-19-268)". - Detection logic updated. - Vulnerability references updated. 34932: ZDI-CAN-11200,11381-9,11390-8: Zero Day Initiative Vulnerability (Micro Focus) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Requires: N/NX-Platform, NGFW, or TPS devices - Name changed from "34932: ZDI-CAN-11200,11381-9,11390-4: Zero Day Initiative Vulnerability (Micro Focus)". - Detection logic updated. - Vulnerability references updated. 36249: HTTP: Cisco Data Center Network Manager getAllVpc SQL Injection Vulnerability (ZDI-20-021) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Name changed from "36249: ZDI-CAN-9050: Zero Day Initiative Vulnerability (Cisco Data Center Network Manager)". - Description updated. - Detection logic updated. - Vulnerability references updated. 37101: HTTP: CentOS Web Panel ajax_list_accounts package SQL Injection Vulnerability (ZDI-20-763) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Name changed from "37101: ZDI-CAN-9706: Zero Day Initiative Vulnerability (CentOS Web Panel)". - Category changed from "Exploits" to "Vulnerabilities". - Severity changed from "Critical" to "High". - Description updated. - Detection logic updated. - Vulnerability references updated. 37102: HTTP: CentOS Web Panel ajax_mod_security check_ip Command Injection Vulnerability (ZDI-20-738) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Name changed from "37102: ZDI-CAN-9707: Zero Day Initiative Vulnerability (CentOS Web Panel)". - Category changed from "Exploits" to "Vulnerabilities". - Description updated. - Detection logic updated. - Vulnerability references updated. 37103: HTTP: CentOS Web Panel ajax_list_accounts status SQL Injection Vulnerability (ZDI-20-764) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Name changed from "37103: ZDI-CAN-9708: Zero Day Initiative Vulnerability (CentOS Web Panel)". - Category changed from "Exploits" to "Vulnerabilities". - Severity changed from "Critical" to "High". - Description updated. - Detection logic updated. - Vulnerability references updated. 37138: RPC: Advantech WebAccess/SCADA DATACORE IOCTL 0x00005227 Buffer Overflow Vulnerability (ZDI-20-592) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Name changed from "37138: ZDI-CAN-9906: Zero Day Initiative Vulnerability (Advantech WebAccess/SCADA)". - Description updated. - Detection logic updated. - Vulnerability references updated. 37311: RPC: Advantech WebAccess/SCADA DATACORE IOCTL 0x0000791d Buffer Overflow Vulnerability (ZDI-20-601) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Name changed from "37311: ZDI-CAN-9998: Zero Day Initiative Vulnerability (Advantech WebAccess/SCADA)". - Description updated. - Detection logic updated. - Vulnerability references updated. 37381: RPC: Advantech WebAccess/SCADA OPCUA Buffer Overflow Vulnerability (ZDI-20-624) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Name changed from "37381: ZDI-CAN-10338: Zero Day Initiative Vulnerability (Advantech WebAccess/SCADA)". - Description updated. - Detection logic updated. - Vulnerability references updated. 37858: DNS: Windows DNS Server Integer Overflow Vulnerability (Inbound) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Name changed from "37858: DNS: Windows DNS Server Integer Overflow Vulnerability". - Detection logic updated. Modified Filters (metadata changes only): * = Enabled in Default deployments 37857: DNS: Windows DNS Server Integer Overflow Vulnerability (Outbound) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Name changed from "37857: DNS: Windows DNS Server Integer Overflow Vulnerability". Removed Filters: NoneTop of the Page