Digital Vaccine #9449

Thank you for subscribing to Digital Vaccine updates brought to you by Trend Micro™ TippingPoint DVLabs.

New content is now available at the Threat Management Center (TMC): https://tmc.tippingpoint.com.

SMS customers can update the Digital Vaccine through the SMS client. From the top-line menu, you can open the "File > Download Digital Vaccine from TMC" menu item to detect and load the latest update.
System Requirements
The 3.2.0 DV will run on IPS devices with TOS v3.2.0 and above, all NGFW and all TPS systems. The 4.0.0 DV will only run on the Virtual Threat Protection System (vTPS) appliance. Please note that vTPS does not currently support pre-disclosed ZDI filters.
The Digital Vaccine can be manually downloaded from the following URLs:
https://tmc.tippingpoint.com/TMC/ViewPackage?parentFolderId=digital_vaccines&contentId=SIG_3.2.0_9449.pkg
https://tmc.tippingpoint.com/TMC/ViewPackage?parentFolderId=vsa_dv&contentId=SIG_VTPS_4.0.0_9449.pkg
Update Details

Table of Contents
--------------------------
Filters
New Filters - 13
Modified Filters (logic changes) - 18
Modified Filters (metadata changes only) - 2
Removed Filters - 0

Filters
----------------
New Filters:
    38104: HTTP: rConfig Network Device Configuration Tool configDevice.php Cross-Site Scripting Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a cross-site scripting vulnerability in rConfig Network Device Configuration Tool.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2020-12259
      - Classification: Vulnerability - Input Validation (Command injection, XSS, SQL injection, etc)
      - Protocol: HTTP
      - Platform: UNIX/Linux Server Application or Service
      - Release Date: September 15, 2020

    38107: XMPP: Cisco Jabber Message Handling Code Execution Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a code execution vulnerability in Cisco Jabber Message.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2020-3495
      - Classification: Vulnerability - Input Validation (Command injection, XSS, SQL injection, etc)
      - Protocol: Other Protocol
      - Platform: Windows Client Application
      - Release Date: September 15, 2020

    38108: HTTP: Apache Struts2 File Upload Denial-of-Service Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: High
      - Description: This filter detects an attempt to exploit a denial-of-service vulnerability in Apache Struts2.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2019-0233
      - Classification: Vulnerability - Denial of Service (Crash/Reboot)
      - Protocol: HTTP
      - Platform: Multi-Platform Server Application or Service
      - Release Date: September 15, 2020

    38125: HTTP: Cacti Group Cacti color.php SQL Injection Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a SQL injection vulnerability in Cacti.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2020-14295
      - Classification: Vulnerability - Input Validation (Command injection, XSS, SQL injection, etc)
      - Protocol: HTTP
      - Platform: Multi-Platform Server Application or Service
      - Release Date: September 15, 2020

    38130: HTTP: Trend Micro ServerProtect Linux Command Injection Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a command injection vulnerability in Trend Micro ServerProtect for Linux.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - Classification: Vulnerability - Input Validation (Command injection, XSS, SQL injection, etc)
      - Protocol: HTTP
      - Platform: UNIX/Linux Server Application or Service
      - Release Date: September 15, 2020

    38131: HTTP: Google Chrome WebGL Memory Corruption Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a memory corruption vulnerability in Google Chrome.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2020-6492
      - Classification: Vulnerability - Other
      - Protocol: HTTP
      - Platform: Multi-Platform Client Application
      - Release Date: September 15, 2020

    38133: HTTP: VirusTotal File Upload (Browser Extension)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Low
      - Description: This filter detects an attempt to upload a file to the VirusTotal website via the browser extension.
      - Deployment: Not enabled by default in any deployment.
      - Classification: Security Policy - Forbidden Application Access or Service Request
      - Protocol: HTTP
      - Platform: Multi-Platform Server Application or Service
      - Release Date: September 15, 2020

    38134: HTTP: VirusTotal File Upload (Browser Main UI)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Low
      - Description: This filter detects an attempt to upload a file to the VirusTotal website via the browser main user interface.
      - Deployment: Not enabled by default in any deployment.
      - Classification: Security Policy - Forbidden Application Access or Service Request
      - Protocol: HTTP
      - Platform: Multi-Platform Server Application or Service
      - Release Date: September 15, 2020

    38135: HTTP: VirusTotal File Upload (API)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Low
      - Description: This filter detects an attempt to upload a file to the VirusTotal website via the API interface.
      - Deployment: Not enabled by default in any deployment.
      - Classification: Security Policy - Forbidden Application Access or Service Request
      - Protocol: HTTP
      - Platform: Multi-Platform Server Application or Service
      - Release Date: September 15, 2020

    38136: HTTP: Richfaces Framework Deserialization Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a deserialization vulnerability in the Richfaces framework.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2013-2165
      - Classification: Vulnerability - Other
      - Protocol: HTTP
      - Platform: UNIX/Linux Server Application or Service
      - Release Date: September 15, 2020

    38139: HTTP: Wibu-Systems CodeMeter Origin Validation Error Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: High
      - Description: This filter detects an attempt to exploit an improper origin validation vulnerability in Wibu-Systems CodeMeter.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2020-14519
      - Classification: Vulnerability - Access Validation
      - Protocol: HTTP
      - Platform: Multi-Platform Client Application
      - Release Date: September 15, 2020

    38141: HTTP: Microsoft Exchange Server New-DlpPolicy Remote Code Execution Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a remote code vulnerability in Microsoft Exchange Server.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2020-16875
      - Classification: Vulnerability - Other
      - Protocol: HTTP
      - Platform: Windows Server Application or Service
      - Release Date: September 15, 2020

    38166: MS-NRPC: Microsoft Windows Netlogon Zerologon Authentication Bypass Attempt
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: High
      - Description: This filter detects an attempt to exploit an authentication bypass vulnerability affecting Microsoft Windows Servers.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2020-1472
      - Classification: Vulnerability - Access Validation
      - Protocol: RPC Services
      - Platform: Windows Server Application or Service
      - Release Date: September 15, 2020

  Modified Filters (logic changes):
    * = Enabled in Default deployments

    13135: HTTPS: Box.com Site Access (ATT&CK T1102)
      - IPS Version: 1.0.0 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Detection logic updated.
      - Release Date: September 03, 2013
      - Last Modified Date: September 15, 2020

    35158: HTTP: Microsoft Windows JET Database Engine Out-Of-Bounds Write Vulnerability (ZDI-20-1127)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "35158: ZDI-CAN-11128: Zero Day Initiative Vulnerability (Microsoft JET Database)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.
      - Release Date: June 16, 2020
      - Last Modified Date: September 15, 2020

    35440: HTTP: Microsoft Windows JET Database Engine Out-Of-Bounds Write Vulnerability (ZDI-20-1128)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "35440: ZDI-CAN-11153: Zero Day Initiative Vulnerability (Microsoft JET Database)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.
      - Release Date: June 16, 2020
      - Last Modified Date: September 15, 2020

    36255: HTTP: Cisco Data Center Network Manager getSwitches SQL Injection (ZDI-20-051, ZDI-20-052)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "36255: ZDI-CAN-9060,9068: Zero Day Initiative Vulnerability (Cisco Data Center Network Manager)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.
      - Release Date: October 08, 2019
      - Last Modified Date: September 15, 2020

    36647: HTTP: Cisco Data Center Network Manager getSanSwitchBandwidthStatList SQL Injection (ZDI-20-082)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "36647: ZDI-CAN-9202: Zero Day Initiative Vulnerability (Cisco Data Center Network Manager)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.
      - Release Date: November 19, 2019
      - Last Modified Date: September 15, 2020

    36907: HTTP: IBM Spectrum Protect Plus hostname Command Injection Vulnerability (ZDI-20-273)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Detection logic updated.
      - Vulnerability references updated.
      - Release Date: January 21, 2020
      - Last Modified Date: September 15, 2020

    * 37043: HTTP: Microsoft Internet Explorer Use-After-Free Vulnerability (ZDI-20-1123)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "37043: ZDI-CAN-10834: Zero Day Initiative Vulnerability (Microsoft Internet Explorer)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.
      - Release Date: June 23, 2020
      - Last Modified Date: September 15, 2020

    37047: HTTP: Microsoft Visual Studio DDS File Parsing Integer Overflow Vulnerability (ZDI-20-1120)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "37047: ZDI-CAN-11095: Zero Day Initiative Vulnerability (Microsoft Visual Studio)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.
      - Release Date: June 23, 2020
      - Last Modified Date: September 15, 2020

    37055: HTTP: Microsoft Visual Studio DDS File Parsing Integer Overflow Vulnerability (ZDI-20-1121)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "37055: ZDI-CAN-11156: Zero Day Initiative Vulnerability (Microsoft Visual Studio)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.
      - Release Date: June 23, 2020
      - Last Modified Date: September 15, 2020

    37231: HTTP: Delta Industrial Automation DOPSoft DPA File Parsing Out-Of-Bounds Read (ZDI-20-798)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "37231: ZDI-CAN-10459: Zero Day Initiative Vulnerability (Delta Industrial Automation DOPSoft)".
      - Severity changed from "Critical" to "High".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.
      - Release Date: March 03, 2020
      - Last Modified Date: September 15, 2020

    37458: HTTP: WECON LeviStudioU AlarmSet bitaddr Buffer Overflow Vulnerability (ZDI-20-1070)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "37458: ZDI-CAN-10489: Zero Day Initiative Vulnerability (WECON LeviStudioU)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.
      - Release Date: April 07, 2020
      - Last Modified Date: September 15, 2020

    37479: HTTP: WECON LeviStudioU AlarmSet WordAddr9 Buffer Overflow Vulnerability (ZDI-20-1069)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "37479: ZDI-CAN-10548: Zero Day Initiative Vulnerability (WECON LeviStudioU)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.
      - Release Date: April 07, 2020
      - Last Modified Date: September 15, 2020

    37660: HTTP: Delta Industrial Automation CNCSoft ScreenEditor DPB Out-Of-Bounds Read (ZDI-20-942)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "37660: ZDI-CAN-10882: Zero Day Initiative Vulnerability (Delta Industrial Automation CNCSoft ScreenEditor)".
      - Severity changed from "Critical" to "High".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.
      - Release Date: April 28, 2020
      - Last Modified Date: September 15, 2020

    37696: HTTP: Delta Industrial Automation CNCSoft ScreenEditor DPB Out-Of-Bounds Read (ZDI-20-945)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "37696: ZDI-CAN-10885: Zero Day Initiative Vulnerability (Delta Industrial Automation CNCSoft ScreenEditor)".
      - Severity changed from "Critical" to "High".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.
      - Release Date: May 05, 2020
      - Last Modified Date: September 15, 2020

    37793: HTTP: Microsoft Visual Studio DDS File Parsing Out-Of-Bounds Read Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "37793: ZDI-CAN-11212: Zero Day Initiative Vulnerability (Microsoft Visual Studio)".
      - Severity changed from "Critical" to "High".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.
      - Release Date: June 30, 2020
      - Last Modified Date: September 15, 2020

    37795: HTTP: Microsoft Visual Studio DDS File Parsing Integer Overflow Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "37795: ZDI-CAN-11213: Zero Day Initiative Vulnerability (Microsoft Visual Studio)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.
      - Release Date: June 30, 2020
      - Last Modified Date: September 15, 2020

    37796: HTTP: Microsoft Windows Media Player HEVC Stream Parsing Buffer Overflow Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "37796: ZDI-CAN-11215: Zero Day Initiative Vulnerability (Microsoft Windows Media Player)".
      - Category changed from "Vulnerabilities" to "Exploits".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.
      - Release Date: June 30, 2020
      - Last Modified Date: September 15, 2020

    37798: HTTP: Microsoft Windows Camera Codec Pack Out-Of-Bounds Write Vulnerability (ZDI-20-1122)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "37798: ZDI-CAN-11240: Zero Day Initiative Vulnerability (Microsoft Windows Camera Codec)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.
      - Release Date: June 30, 2020
      - Last Modified Date: September 15, 2020

  Modified Filters (metadata changes only):
    * = Enabled in Default deployments

    13855: TCP: XML External Entity (XXE) Usage
      - IPS Version: 1.0.0 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Vulnerability references updated.
      - Release Date: April 28, 2014
      - Last Modified Date: September 15, 2020

    38080: HTTP: Apache OFBiz XMLRPC Insecure Deserialization Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Description updated.
      - Release Date: September 01, 2020
      - Last Modified Date: September 15, 2020

  Removed Filters: None
Top of the Page
Need More Help?

Digital Vaccine #9449
