Digital Vaccine #9441

Thank you for subscribing to Digital Vaccine updates brought to you by Trend Micro™ TippingPoint DVLabs.

New content is now available at the Threat Management Center (TMC): https://tmc.tippingpoint.com.

SMS customers can update the Digital Vaccine through the SMS client. From the top-line menu, you can open the "File > Download Digital Vaccine from TMC" menu item to detect and load the latest update.
System Requirements
The 3.2.0 DV will run on IPS devices with TOS v3.2.0 and above, all NGFW and all TPS systems. The 4.0.0 DV will only run on the Virtual Threat Protection System (vTPS) appliance. Please note that vTPS does not currently support pre-disclosed ZDI filters.
The Digital Vaccine can be manually downloaded from the following URLs:
https://tmc.tippingpoint.com/TMC/ViewPackage?parentFolderId=digital_vaccines&contentId=SIG_3.2.0_9441.pkg
https://tmc.tippingpoint.com/TMC/ViewPackage?parentFolderId=vsa_dv&contentId=SIG_VTPS_4.0.0_9441.pkg
Update Details

Table of Contents
--------------------------
Filters
New Filters - 3
Modified Filters (logic changes) - 17
Modified Filters (metadata changes only) - 12
Removed Filters - 2

Filters
----------------
New Filters:
    26204: HTTP: Microsoft Windows PFB Font File Buffer Overflow Vulnerability (ZDI-20-998)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a buffer overflow vulnerability in Microsoft Windows.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2020-1520
        - Zero Day Initiative: ZDI-20-998
      - Classification: Vulnerability - Buffer/Heap Overflow
      - Protocol: HTTP
      - Platform: Windows Client Application
      - Release Date: August 25, 2020

    38050: HTTP: ZTE web_shell_cmd.gch Usage
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Moderate
      - Description: This filter detects the usage of the web_shell_cmd.gch script.
      - Deployment: Not enabled by default in any deployment.
      - References:
        - Common Vulnerabilities and Exposures: CVE-2014-2321
      - Classification: Vulnerability - Other
      - Protocol: HTTP
      - Platform: Multi-Platform Server Application or Service
      - Release Date: August 25, 2020

    38053: HTTP: Microsoft Windows File Validation Spoofing Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: High
      - Description: This filter detects an attempt to exploit a spoofing vulnerability in Microsoft Windows.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2020-1464
      - Classification: Vulnerability - Other
      - Protocol: HTTP
      - Platform: Windows Client Application
      - Release Date: August 25, 2020

  Modified Filters (logic changes):
    * = Enabled in Default deployments

    26517: HTTP: Microsoft Windows QuickTime Video Parsing Use-After-Free Vulnerability (ZDI-20-1004)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "26517: ZDI-CAN-10937: Zero Day Initiative Vulnerability (Microsoft Windows)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.
      - Release Date: May 19, 2020
      - Last Modified Date: August 25, 2020

    * 29068: HTTP: Apache Struts 2 Struts 1 Plugin Remote Code Execution Vulnerability
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.
      - Release Date: July 11, 2017
      - Last Modified Date: August 25, 2020

    * 33293: HTTP: Microsoft Windows gd132full PlayEnhMetaFile Out-Of-Bounds Read Vulnerability (ZDI-18-1404)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Detection logic updated.
      - Release Date: October 23, 2018
      - Last Modified Date: August 25, 2020

    37106: HTTP: CentOS Web Panel ajax_crons line Command Injection Vulnerability (ZDI-20-745)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Detection logic updated.
      - Release Date: February 18, 2020
      - Last Modified Date: August 25, 2020

    37108: HTTP: CentOS Web Panel ajax_crons user Command Injection Vulnerability (ZDI-20-746)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "37108: ZDI-CAN-9716: Zero Day Initiative Vulnerability (CentOS Web Panel)".
      - Category changed from "Exploits" to "Vulnerabilities".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.
      - Release Date: February 18, 2020
      - Last Modified Date: August 25, 2020

    37109: HTTP: CentOS Web Panel ajax_list_accounts username SQL Injection Vulnerability (ZDI-20-765)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "37109: ZDI-CAN-9717: Zero Day Initiative Vulnerability (CentOS Web Panel)".
      - Category changed from "Exploits" to "Vulnerabilities".
      - Severity changed from "Critical" to "High".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.
      - Release Date: February 18, 2020
      - Last Modified Date: August 25, 2020

    37110: HTTP: CentOS Web Panel ajax_php_pecl cha Command Injection Vulnerability (ZDI-20-761)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "37110: ZDI-CAN-9718: Zero Day Initiative Vulnerability (CentOS Web Panel)".
      - Category changed from "Exploits" to "Vulnerabilities".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.
      - Release Date: February 18, 2020
      - Last Modified Date: August 25, 2020

    37111: HTTP: CentOS Web Panel ajax_dashboard service_start Command Injection Vulnerability (ZDI-20-752)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "37111: ZDI-CAN-9719: Zero Day Initiative Vulnerability (CentOS Web Panel)".
      - Category changed from "Exploits" to "Vulnerabilities".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.
      - Release Date: February 18, 2020
      - Last Modified Date: August 25, 2020

    37112: HTTP: CentOS Web Panel ajax_admin_apis Command Injection Vulnerability (ZDI-20-753)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "37112: ZDI-CAN-9720: Zero Day Initiative Vulnerability (CentOS Web Panel)".
      - Category changed from "Exploits" to "Vulnerabilities".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.
      - Release Date: February 18, 2020
      - Last Modified Date: August 25, 2020

    37114: HTTP: CentOS Web Panel ajax_list_accounts type SQL Injection Vulnerability (ZDI-20-766)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "37114: ZDI-CAN-9723: Zero Day Initiative Vulnerability (CentOS Web Panel)".
      - Category changed from "Exploits" to "Vulnerabilities".
      - Severity changed from "Critical" to "High".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.
      - Release Date: February 18, 2020
      - Last Modified Date: August 25, 2020

    37256: HTTP: IBM Informix bts_tracefile Directory Traversal Vulnerability (ZDI-20-925)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "37256: ZDI-CAN-10332: Zero Day Initiative Vulnerability (IBM Informix)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.
      - Release Date: March 03, 2020
      - Last Modified Date: August 25, 2020

    37407: HTTP: Veeam ONE Reporter_ImportLicense/SSRSReport External Entity Injection (ZDI-20-821,822)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "37407: ZDI-CAN-10709,ZDI-CAN-10710: Zero Day Initiative Vulnerability (VEEM One Agent)".
      - Category changed from "Exploits" to "Vulnerabilities".
      - Severity changed from "Critical" to "High".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.
      - Release Date: May 26, 2020
      - Last Modified Date: August 25, 2020

    37572: HTTP: Phoenix Contact Automationworx PLCOpen XML Buffer Overflow Vulnerability (ZDI-20-825)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "37572: ZDI-CAN-10147: Zero Day Initiative Vulnerability (Phoenix Contact Automationworx)".
      - Category changed from "Exploits" to "Vulnerabilities".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.
      - Release Date: April 14, 2020
      - Last Modified Date: August 25, 2020

    37583: HTTP: Advantech iView NetworkServlet SQL Injection Vulnerability (ZDI-20-828)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "37583: ZDI-CAN-10635: Zero Day Initiative Vulnerability (Advantech iView)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.
      - Release Date: April 14, 2020
      - Last Modified Date: August 25, 2020

    37739: HTTP: Microsoft Windows MP4 File Parsing Out-Of-Bounds Write Vulnerability (ZDI-20-1002)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "37739: ZDI-CAN-11006: Zero Day Initiative Vulnerability (Microsoft Windows)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.
      - Release Date: May 12, 2020
      - Last Modified Date: August 25, 2020

    37785: HTTP: Microsoft Chakra Inline Cache Out-Of-Bounds Read Vulnerability (ZDI-20-1001)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "37785: ZDI-CAN-10925: Zero Day Initiative Vulnerability (Microsoft Chakra)".
      - Severity changed from "Critical" to "High".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.
      - Release Date: June 23, 2020
      - Last Modified Date: August 25, 2020

    38044: TCP: Oracle WebLogic Server Deserialization Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Detection logic updated.
      - Release Date: August 18, 2020
      - Last Modified Date: August 25, 2020

  Modified Filters (metadata changes only):
    * = Enabled in Default deployments

    6924: DNS: NXDOMAIN Response
      - IPS Version: 1.0.0 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Description updated.
      - Release Date: March 30, 2009
      - Last Modified Date: August 25, 2020

    13054: HTTP: Microsoft .NET Framework XML Spoofed Digital Signature
      - IPS Version: 1.0.0 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Description updated.
      - Vulnerability references updated.
      - Release Date: July 30, 2013
      - Last Modified Date: August 25, 2020

    13296: HTTP: Oracle Java SE XML Spoofed Digital Signature
      - IPS Version: 1.0.0 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Description updated.
      - Release Date: November 06, 2013
      - Last Modified Date: August 25, 2020

    19619: HTTP: Apple OS X Cross-Site Scripting Sandbox Bypass Vulnerability (Pwn2Own ZDI-15-258)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Description updated.
      - Release Date: March 21, 2015
      - Last Modified Date: August 25, 2020

    25436: HTTP: Symantec Web Gateway Command Injection Vulnerability
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Description updated.
      - Release Date: November 01, 2016
      - Last Modified Date: August 25, 2020

    * 25437: HTTPS: Symantec Web Gateway Command Injection Vulnerability
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Description updated.
      - Release Date: November 01, 2016
      - Last Modified Date: August 25, 2020

    * 29905: HTTP: Huawei App Market Safelist Bypass Privilege Escalation Vulnerability (Pwn2Own ZDI-18-879)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "29905: HTTP: Huawei App Market Whitelist Bypass Privilege Escalation Vulnerability (Pwn2Own ZDI-18-879)".
      - Description updated.
      - Release Date: November 07, 2017
      - Last Modified Date: August 25, 2020

    31368: SMTP: SpamAssassin Spam Test String Usage
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Description updated.
      - Release Date: May 22, 2018
      - Last Modified Date: August 25, 2020

    * 32705: HTTP: phpMyAdmin Local File Inclusion Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Description updated.
      - Release Date: July 24, 2018
      - Last Modified Date: August 25, 2020

    34136: HTTP: Suspicious Scriptlet File Transfer
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Description updated.
      - Release Date: August 30, 2016
      - Last Modified Date: August 25, 2020

    35343: HTTP: Adobe Acrobat Pro DC addFeed Out-of-Bounds Read Vulnerability (ZDI-20-985,986,987,988,989)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "35343: HTTP: Adobe Acrobat Pro DC addFeed Out-of-Bounds Read Vulnerability (ZDI-20-985)".
      - Description updated.
      - Vulnerability references updated.
      - Release Date: June 23, 2020
      - Last Modified Date: August 25, 2020

    39139: HTTP: Ruby on Rails Web Console Safelist Bypass Vulnerability
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "39139: HTTP: Ruby on Rails Web Console Whitelist Bypass Vulnerability".
      - Description updated.
      - Release Date: September 20, 2016
      - Last Modified Date: August 25, 2020

  Removed Filters:

    2057: Backdoor: Master of Paradise
      - IPS Version: 1.0.0 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Release Date: December 31, 2005
      - Last Modified Date: August 26, 2014

    17150: TCP: Wipall Malware Download Attempt
      - IPS Version: 1.0.0 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Release Date: December 16, 2014
      - Last Modified Date: October 04, 2016
Top of the Page
Need More Help?

Digital Vaccine #9441
