Summary
Digital Vaccine #9436 July 28, 2020
Details
Thank you for subscribing to Digital Vaccine updates brought to you by Trend Micro™ TippingPoint DVLabs. New content is now available at the Threat Management Center (TMC): https://tmc.tippingpoint.com. SMS customers can update the Digital Vaccine through the SMS client. From the top-line menu, you can open the "File > Download Digital Vaccine from TMC" menu item to detect and load the latest update. * The release notes file has been modified to add the Release Date and the Last Modified Date to both the HTML text and the XML. * Customers with TP10 devices should perform a soft reboot of their IPS before installing the new DV to avoid a memory issue during the install. |
System Requirements |
The 3.2.0 DV will run on IPS devices with TOS v3.2.0 and above, all NGFW and all TPS systems. The 4.0.0 DV will only run on the Virtual Threat Protection System (vTPS) appliance. Please note that vTPS does not currently support pre-disclosed ZDI filters. |
The Digital Vaccine can be manually downloaded from the following URLs: https://tmc.tippingpoint.com/TMC/ViewPackage?parentFolderId=digital_vaccines&contentId=SIG_3.2.0_9436.pkg https://tmc.tippingpoint.com/TMC/ViewPackage?parentFolderId=vsa_dv&contentId=SIG_VTPS_4.0.0_9436.pkg |
Update Details
Table of Contents
--------------------------
Filters
New Filters - 18
Modified Filters (logic changes) - 13
Modified Filters (metadata changes only) - 3
Removed Filters - 0
Filters
----------------
New Filters:
37812: HTTP: Nagios XI Reflected Cross-Site Scripting Vulnerability - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Category: Vulnerabilities - Severity: Critical - Description: This filter detects an attempt to exploit a cross-site scripting vulnerability in Nagios XI. - Deployments: - Deployment: Security-Optimized (Block / Notify) - References: - Common Vulnerabilities and Exposures: CVE-2020-10819 CVSS 6.8, CVE-2020-10820 CVSS 6.8 - Classification: Vulnerability - Input Validation (Command injection, XSS, SQL injection, etc) - Protocol: HTTP - Platform: Multi-Platform Server Application or Service - Release Date: July 28, 2020 37886: HTTP: Zoho ManageEngine Applications Manager AlertRes_Mtrgrp.jsp sid SQL Injection Vulnerability - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Category: Vulnerabilities - Severity: Critical - Description: This filter detects an attempt to exploit a SQL injection vulnerability in Zoho ManageEngine Applications Manager. - Deployments: - Deployment: Security-Optimized (Block / Notify) - References: - Common Vulnerabilities and Exposures: CVE-2020-15533 - Classification: Vulnerability - Input Validation (Command injection, XSS, SQL injection, etc) - Protocol: HTTP - Platform: Multi-Platform Server Application or Service - Release Date: July 28, 2020 37889: ZDI-CAN-11049: Zero Day Initiative Vulnerability (Trend Micro Data Loss Prevention Manager) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: Not available. - Requires: N/NX-Platform, NGFW, or TPS devices - Category: Vulnerabilities - Severity: Critical - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Trend Micro Data Loss Prevention Manager. - Deployments: - Deployment: Default (Block / Notify / Trace) - Deployment: Performance-Optimized (Disabled) - Classification: Vulnerability - Other - Protocol: Other Protocol - Platform: Other Server Application or Service - Release Date: July 28, 2020 37890: ZDI-CAN-11097: Zero Day Initiative Vulnerability (WECON LeviStudioU) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: Not available. - Requires: N/NX-Platform, NGFW, or TPS devices - Category: Vulnerabilities - Severity: Critical - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting WECON LeviStudioU. - Deployments: - Deployment: Security-Optimized (Block / Notify / Trace) - Classification: Vulnerability - Other - Protocol: Other Protocol - Platform: Other Server Application or Service - Release Date: July 28, 2020 37891: ZDI-CAN-11098: Zero Day Initiative Vulnerability (WECON LeviStudioU) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: Not available. - Requires: N/NX-Platform, NGFW, or TPS devices - Category: Vulnerabilities - Severity: Critical - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting WECON LeviStudioU. - Deployments: - Deployment: Security-Optimized (Block / Notify / Trace) - Classification: Vulnerability - Other - Protocol: Other Protocol - Platform: Other Server Application or Service - Release Date: July 28, 2020 37892: ZDI-CAN-11100: Zero Day Initiative Vulnerability (WECON LeviStudioU) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: Not available. - Requires: N/NX-Platform, NGFW, or TPS devices - Category: Vulnerabilities - Severity: Critical - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting WECON LeviStudioU. - Deployments: - Deployment: Security-Optimized (Block / Notify / Trace) - Classification: Vulnerability - Other - Protocol: Other Protocol - Platform: Other Server Application or Service - Release Date: July 28, 2020 37893: ZDI-CAN-11185: Zero Day Initiative Vulnerability (WECON LeviStudioU) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: Not available. - Requires: N/NX-Platform, NGFW, or TPS devices - Category: Vulnerabilities - Severity: Critical - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting WECON LeviStudioU. - Deployments: - Deployment: Security-Optimized (Block / Notify / Trace) - Classification: Vulnerability - Other - Protocol: Other Protocol - Platform: Other Server Application or Service - Release Date: July 28, 2020 37894: ZDI-CAN-11186: Zero Day Initiative Vulnerability (WECON PLC Editor) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: Not available. - Requires: N/NX-Platform, NGFW, or TPS devices - Category: Vulnerabilities - Severity: Critical - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting WECON PLC Editor. - Deployments: - Deployment: Security-Optimized (Block / Notify / Trace) - Classification: Vulnerability - Other - Protocol: Other Protocol - Platform: Other Server Application or Service - Release Date: July 28, 2020 37895: ZDI-CAN-11187: Zero Day Initiative Vulnerability (WECON PLC Editor) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: Not available. - Requires: N/NX-Platform, NGFW, or TPS devices - Category: Vulnerabilities - Severity: Critical - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting WECON PLC Editor. - Deployments: - Deployment: Security-Optimized (Block / Notify / Trace) - Classification: Vulnerability - Other - Protocol: Other Protocol - Platform: Other Server Application or Service - Release Date: July 28, 2020 37896: SMB: Nmap Scripting Engine smb-os-discovery Detection - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Category: Security Policy - Severity: Moderate - Description: This filter detects a smb-os-discovery scan attempt by the Nmap Scripting Engine (NSE). - Deployment: Not enabled by default in any deployment. - Classification: Reconnaissance / Suspicious Access - Other - Protocol: SMB - Platform: Multi-Platform Server Application or Service - Release Date: July 28, 2020 37897: HTTP: Suspicious Java Expression Language (JEXL) Detection - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Category: Security Policy - Severity: Moderate - Description: This filter detects suspicious Java Expression Language (JEXL) usage inside a URI. - Deployment: Not enabled by default in any deployment. - References: - Common Vulnerabilities and Exposures: CVE-2020-10199 - Classification: Security Policy - Other - Protocol: HTTP - Platform: Multi-Platform Server Application or Service - Release Date: July 28, 2020 37898: HTTP: Suspicious Java Expression Language (JEXL) Detection - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Category: Security Policy - Severity: Moderate - Description: This filter detects a suspicious Java Expression Language (JEXL) payload. - Deployment: Not enabled by default in any deployment. - References: - Common Vulnerabilities and Exposures: CVE-2020-10199 - Classification: Security Policy - Other - Protocol: HTTP - Platform: Multi-Platform Server Application or Service - Release Date: July 28, 2020 37899: HTTP: FFmpeg JPEG_MARKER_SOS Buffer Overflow Vulnerability - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Category: Exploits - Severity: Critical - Description: This filter detects an attempt to exploit a buffer overflow vulnerability in FFmpeg. - Deployments: - Deployment: Security-Optimized (Block / Notify) - References: - Common Vulnerabilities and Exposures: CVE-2020-12284 - Classification: Vulnerability - Buffer/Heap Overflow - Protocol: HTTP - Platform: Multi-Platform Client Application - Release Date: July 28, 2020 37904: HTTP: OpenSIS SQL Injection Vulnerability - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Category: Vulnerabilities - Severity: Critical - Description: This filter detects an attempt to exploit a SQL injection vulnerability in OpenSIS. - Deployments: - Deployment: Security-Optimized (Block / Notify) - References: - Common Vulnerabilities and Exposures: CVE-2020-13381 - Classification: Vulnerability - Input Validation (Command injection, XSS, SQL injection, etc) - Protocol: HTTP - Platform: Multi-Platform Server Application or Service - Release Date: July 28, 2020 37905: HTTP: eSCL Protocol Usage - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Category: Security Policy - Severity: Moderate - Description: This filter detects an attempt to use eSCL protocol over HTTP. - Deployment: Not enabled by default in any deployment. - Classification: Security Policy - Other - Protocol: HTTP - Platform: Multi-Platform Server Application or Service - Release Date: July 28, 2020 37906: HTTP: Google Chrome webkitSpeechRecognition Use-After-Free Vulnerability - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Category: Exploits - Severity: Critical - Description: This filter detects an attempt to exploit a use-after-free vulnerability in Google Chrome. - Deployments: - Deployment: Default (Block / Notify) - Deployment: Performance-Optimized (Disabled) - References: - Common Vulnerabilities and Exposures: CVE-2020-6457 - Classification: Vulnerability - Other - Protocol: HTTP - Platform: Multi-Platform Client Application - Release Date: July 28, 2020 37910: HTTP: Ruby on Rails Argument Call Code Execution Vulnerability - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Category: Vulnerabilities - Severity: Critical - Description: This filter detects an attempt to exploit a code execution vulnerability in Ruby on Rails. - Deployments: - Deployment: Security-Optimized (Block / Notify) - References: - Common Vulnerabilities and Exposures: CVE-2020-8163 - Classification: Vulnerability - Input Validation (Command injection, XSS, SQL injection, etc) - Protocol: HTTP - Platform: Multi-Platform Server Application or Service - Release Date: July 28, 2020 37916: HTTP: Plex set_local_app_data_path Usage - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Category: Security Policy - Severity: Moderate - Description: This filter detects the usage of the API to change the location of a server's data directory. - Deployment: Not enabled by default in any deployment. - References: - Common Vulnerabilities and Exposures: CVE-2020-5741 - Classification: Vulnerability - Other - Protocol: HTTP - Platform: Multi-Platform Server Application or Service - Release Date: July 28, 2020 Modified Filters (logic changes): * = Enabled in Default deployments 0350: HTTP: Shell Command Execution (chmod command) - IPS Version: 1.0.0 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Detection logic updated. - Release Date: December 31, 2005 - Last Modified Date: July 28, 2020 31031: HTTP: Drupal Core Multiple Subsystems Input Validation Vulnerability - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Detection logic updated. - Release Date: April 03, 2018 - Last Modified Date: July 28, 2020 31630: HTTP: Telerik UI RadAsyncUpload Request - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Detection logic updated. - Release Date: May 15, 2018 - Last Modified Date: July 28, 2020 33380: HTTP: jQuery Unrestricted PHP File Upload Vulnerability - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Detection logic updated. - Release Date: October 30, 2018 - Last Modified Date: July 28, 2020 36750: HTTP: Advantech WebAccess/NMS FwStatusReportAction SQL Injection (ZDI-20-391, ZDI-20-392) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Name changed from "36750: ZDI-CAN-9584,9585: Zero Day Initiative Vulnerability (Advantech WebAccess/NMS)". - Severity changed from "Critical" to "High". - Description updated. - Detection logic updated. - Vulnerability references updated. - Release Date: December 03, 2019 - Last Modified Date: July 28, 2020 37019: RPC: Advantech WebAccess/SCADA DATACORE IOCTL 0x0000791e Integer Overflow Vulnerability (ZDI-20-600) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Name changed from "37019: ZDI-CAN-9997: Zero Day Initiative Vulnerability (Advantech WebAccess/SCADA)". - Description updated. - Detection logic updated. - Vulnerability references updated. - Release Date: February 11, 2020 - Last Modified Date: July 28, 2020 37068: HTTP: Advantech WebAccess/NMS ProfileResource Unrestricted File Upload Vulnerability (ZDI-20-406) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Name changed from "37068: ZDI-CAN-9693: Zero Day Initiative Vulnerability (Advantech WebAccess/SCADA)". - Description updated. - Detection logic updated. - Vulnerability references updated. - Release Date: February 11, 2020 - Last Modified Date: July 28, 2020 37104: HTTP: CentOS Web Panel ajax_migration_cpanel serverip Command Injection Vulnerability (ZDI-20-743) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Name changed from "37104: ZDI-CAN-9709: Zero Day Initiative Vulnerability (CentOS Web Panel)". - Category changed from "Exploits" to "Vulnerabilities". - Description updated. - Detection logic updated. - Vulnerability references updated. - Release Date: February 18, 2020 - Last Modified Date: July 28, 2020 37105: HTTP: CentOS Web Panel ajax_disk_usage folderName Command Injection Vulnerability (ZDI-20-744) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Name changed from "37105: ZDI-CAN-9713: Zero Day Initiative Vulnerability (CentOS Web Panel)". - Category changed from "Exploits" to "Vulnerabilities". - Description updated. - Detection logic updated. - Vulnerability references updated. - Release Date: February 18, 2020 - Last Modified Date: July 28, 2020 37106: HTTP: CentOS Web Panel ajax_crons line Command Injection Vulnerability (ZDI-20-745) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Name changed from "37106: ZDI-CAN-9714: Zero Day Initiative Vulnerability (CentOS Web Panel)". - Category changed from "Exploits" to "Vulnerabilities". - Description updated. - Detection logic updated. - Vulnerability references updated. - Release Date: February 18, 2020 - Last Modified Date: July 28, 2020 37185: HTTP: Advantech WebAccess/NMS DBUtil SQL Injection Vulnerability (ZDI-20-428, ZDI-20-430) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Name changed from "37185: ZDI-CAN-9807,9812: Zero Day Initiative Vulnerability (Advantech WebAccess/NMS)". - Severity changed from "Critical" to "High". - Description updated. - Detection logic updated. - Vulnerability references updated. - Release Date: February 25, 2020 - Last Modified Date: July 28, 2020 37189: HTTP: Advantech WebAccess/NMS DBUtil SQL Injection Vulnerability (ZDI-20-431, ZDI-20-432) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Name changed from "37189: ZDI-CAN-9813,9814: Zero Day Initiative Vulnerability (Advantech WebAccess/NMS)". - Severity changed from "Critical" to "High". - Description updated. - Detection logic updated. - Vulnerability references updated. - Release Date: February 25, 2020 - Last Modified Date: July 28, 2020 37851: HTTP: Microsoft .NET Framework Insecure Deserialization Vulnerability - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Description updated. - Detection logic updated. - Release Date: July 14, 2020 - Last Modified Date: July 28, 2020 Modified Filters (metadata changes only): * = Enabled in Default deployments 25851: HTTP: Microsoft Windows Font Parsing Out-Of-Bounds Write Vulnerability (ZDI-20-875) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Name changed from "25851: HTTP: Microsoft Windows Font Parsing Out-Of-Bounds Write Vulnerability". - Description updated. - Vulnerability references updated. - Release Date: May 19, 2020 - Last Modified Date: July 28, 2020 26004: HTTP: Microsoft Windows LNK Type Confusion Vulnerability (ZDI-20-923) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Name changed from "26004: HTTP: Microsoft Windows LNK Type Confusion Vulnerability". - Description updated. - Vulnerability references updated. - Release Date: May 19, 2020 - Last Modified Date: July 28, 2020 26078: HTTP: Microsoft Windows PFB Font File Out-Of-Bounds Write Vulnerability (ZDI-20-877) - IPS Version: 3.6.2 and after. - NGFW Version: 1.0.0 and after. - TPS Version: 4.0.0 and after. - vTPS Version: 4.0.1 and after. - Name changed from "26078: HTTP: Microsoft Windows PFB Font File Out-Of-Bounds Write Privilege Escalation Vulnerability". - Description updated. - Vulnerability references updated. - Release Date: May 19, 2020 - Last Modified Date: July 28, 2020 Removed Filters: NoneTop of the Page