Summary
Digital Vaccine #9509 March 2, 2021
Details
| Thank you for subscribing to Digital Vaccine updates brought to you by Trend Micro™ TippingPoint DVLabs. New content is now available at the Threat Management Center (TMC): https://tmc.tippingpoint.com. SMS customers can update the Digital Vaccine through the SMS client. From the top-line menu, you can open the "File > Download Digital Vaccine from TMC" menu item to detect and load the latest update. |
| System Requirements |
| The 3.2.0 DV will run on IPS devices with TOS v3.2.0 and above, all NGFW, and all TPS systems. The 4.0.0 DV will only run on the Virtual Threat Protection System (vTPS) appliance. Please note that vTPS does not currently support pre-disclosed ZDI filters. |
| The Digital Vaccine can be manually downloaded from the following URLs: https://tmc.tippingpoint.com/TMC/ViewPackage?parentFolderId=digital_vaccines&contentId=SIG_3.2.0_9509.pkg https://tmc.tippingpoint.com/TMC/ViewPackage?parentFolderId=vsa_dv&contentId=SIG_VTPS_4.0.0_9509.pkg |
Update Details
Table of Contents
--------------------------
Filters
New Filters - 19
Modified Filters (logic changes) - 7
Modified Filters (metadata changes only) - 1
Removed Filters - 0
Filters
----------------
New Filters:
38921: HTTP: Webmin Command-Shell index.cgi Cross-Site Scripting Vulnerability
- IPS Version: 3.6.2 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Vulnerabilities
- Severity: Critical
- Description: This filter detects an attempt to exploit a cross-site scripting vulnerability in Webmin.
- Deployments:
- Deployment: Security-Optimized (Block / Notify)
- References:
- Common Vulnerabilities and Exposures: CVE-2020-8821 CVSS 3.5
- Classification: Vulnerability - Input Validation (Command injection, XSS, SQL injection, etc)
- Protocol: HTTP
- Platform: Multi-Platform Server Application or Service
- Release Date: March 02, 2021
38930: HTTP: Nagios XI Deploy Dashboards Stored Cross-Site Scripting Vulnerability
- IPS Version: 3.6.2 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Vulnerabilities
- Severity: Critical
- Description: This filter detects an attempt to exploit a stored cross-site scripting vulnerability in Nagios XI.
- Deployments:
- Deployment: Security-Optimized (Block / Notify)
- References:
- Common Vulnerabilities and Exposures: CVE-2020-27989 CVSS 3.5
- Classification: Vulnerability - Input Validation (Command injection, XSS, SQL injection, etc)
- Protocol: HTTP
- Platform: Multi-Platform Server Application or Service
- Release Date: March 02, 2021
38951: HTTP: Microsoft SharePoint Permissions.GetPermissionCollection Request
- IPS Version: 3.6.2 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Security Policy
- Severity: Low
- Description: This filter detects a Permissions.GetPermissionCollection request to Microsoft SharePoint.
- Deployment: Not enabled by default in any deployment.
- Classification: Security Policy - Other
- Protocol: HTTP
- Platform: Windows Server Application or Service
- Release Date: March 02, 2021
38953: LDAP: OpenLDAP slapd Search ParsingissuerAndThisUpdateCheck Integer Underflow Vulnerability
- IPS Version: 3.6.2 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Vulnerabilities
- Severity: High
- Description: This filter detects an attempt to exploit an integer overflow vulnerability in OpenLDAP.
- Deployments:
- Deployment: Security-Optimized (Block / Notify)
- References:
- Common Vulnerabilities and Exposures: CVE-2020-36228 CVSS 5.0
- Classification: Vulnerability - Denial of Service (Crash/Reboot)
- Protocol: LDAP
- Platform: Multi-Platform Server Application or Service
- Release Date: March 02, 2021
38954: HTTP: Trend Micro InterScan Web Security VA ManageVLANSettings Command Injection Vulnerability
- IPS Version: 3.6.2 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Vulnerabilities
- Severity: Critical
- Description: This filter detects an attempt to exploit a command injection vulnerability in Trend Micro InterScan Web Security Virtual Appliance.
- Deployments:
- Deployment: Default (Block / Notify)
- Deployment: Performance-Optimized (Disabled)
- References:
- Common Vulnerabilities and Exposures: CVE-2020-28580 CVSS 9.0, CVE-2020-28581 CVSS 9.0
- Classification: Vulnerability - Input Validation (Command injection, XSS, SQL injection, etc)
- Protocol: HTTP
- Platform: UNIX/Linux Server Application or Service
- Release Date: March 02, 2021
38998: HTTP: SolarWinds Serv-U FTP Server Cross-Site Scripting Vulnerability
- IPS Version: 3.6.2 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Vulnerabilities
- Severity: Critical
- Description: This filter detects an attempt to exploit a cross-site scripting vulnerability in SolarWinds Serv-U FTP Server.
- Deployments:
- Deployment: Security-Optimized (Block / Notify)
- References:
- Common Vulnerabilities and Exposures: CVE-2020-28001
- Classification: Vulnerability - Input Validation (Command injection, XSS, SQL injection, etc)
- Protocol: HTTP
- Platform: Multi-Platform Server Application or Service
- Release Date: March 02, 2021
38999: DNS: DNSmasq sort_rrset Out-Of-Bounds Write Vulnerability
- IPS Version: 3.6.2 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Vulnerabilities
- Severity: Critical
- Description: This filter detects an attempt to exploit an out-of-bounds write vulnerability in DNSmasq.
- Deployments:
- Deployment: Security-Optimized (Block / Notify)
- References:
- Common Vulnerabilities and Exposures: CVE-2020-25687
- Classification: Vulnerability - Buffer/Heap Overflow
- Protocol: DNS
- Platform: UNIX/Linux Server Application or Service
- Release Date: March 02, 2021
39000: FTP: SolarWinds Serv-U FTP Server Cross-Site Scripting Vulnerability
- IPS Version: 3.6.2 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Vulnerabilities
- Severity: Critical
- Description: This filter detects an attempt to exploit a cross-site scripting vulnerability in SolarWinds Serv-U FTP Server.
- Deployments:
- Deployment: Security-Optimized (Block / Notify)
- References:
- Common Vulnerabilities and Exposures: CVE-2020-28001
- Classification: Vulnerability - Input Validation (Command injection, XSS, SQL injection, etc)
- Protocol: FTP
- Platform: Multi-Platform Server Application or Service
- Release Date: March 02, 2021
39025: HTTP: Accellion File Transfer Appliance Host Header SQL Injection Vulnerability
- IPS Version: 3.6.2 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Vulnerabilities
- Severity: Critical
- Description: This filter detects an attempt to exploit a SQL injection vulnerability in Accellion File Transfer Appliance.
- Deployments:
- Deployment: Security-Optimized (Block / Notify)
- References:
- Common Vulnerabilities and Exposures: CVE-2021-27101
- Classification: Vulnerability - Input Validation (Command injection, XSS, SQL injection, etc)
- Protocol: HTTP
- Platform: Multi-Platform Server Application or Service
- Release Date: March 02, 2021
39042: HTTP: Oracle Application Server Multiple Vulnerabilities
- IPS Version: 3.6.2 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Vulnerabilities
- Severity: Critical
- Description: This filter detects an attempt to exploit multiple vulnerabilities in Oracle Application Server.
- Deployments:
- Deployment: Security-Optimized (Block / Notify)
- Classification: Vulnerability - Buffer/Heap Overflow
- Protocol: HTTP
- Platform: Multi-Platform Server Application or Service
- Release Date: March 02, 2021
39043: HTTP: Oracle Application Server OWA_UTIL PL/SQL Package Access
- IPS Version: 3.6.2 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Security Policy
- Severity: Moderate
- Description: This filter detects procedure calls through OWA_UTIL PL/SQL Package.
- Deployment: Not enabled by default in any deployment.
- Classification: Security Policy - Other
- Protocol: HTTP
- Platform: Multi-Platform Server Application or Service
- Release Date: March 02, 2021
39044: HTTPS: Zoom POST logfiles Request
- IPS Version: 3.6.2 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Security Policy
- Severity: Low
- Description: This filter detects a Zoom POST request to the zoom.logfiles.us server.
- Deployment: Not enabled by default in any deployment.
- Classification: Security Policy - Other
- Protocol: HTTP
- Platform: Multi-Platform Server Application or Service
- Release Date: March 02, 2021
39045: HTTPS: Zoom WebSocket Upgrade Request
- IPS Version: 3.6.2 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Security Policy
- Severity: Low
- Description: This filter detects a Zoom upgrade WebSocket request.
- Deployment: Not enabled by default in any deployment.
- Classification: Security Policy - Other
- Protocol: HTTP
- Platform: Multi-Platform Server Application or Service
- Release Date: March 02, 2021
39046: HTTP: Python PyCArg_repr Buffer Overflow Vulnerability
- IPS Version: 3.6.2 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Vulnerabilities
- Severity: Critical
- Description: This filter detects an attempt to exploit a buffer overflow vulnerability in Python.
- Deployments:
- Deployment: Default (Block / Notify)
- Deployment: Performance-Optimized (Disabled)
- References:
- Common Vulnerabilities and Exposures: CVE-2021-3177
- Classification: Vulnerability - Buffer/Heap Overflow
- Protocol: HTTP
- Platform: Multi-Platform Client Application
- Release Date: March 02, 2021
39047: LDAP: OpenLDAP slapd Proxy Authorization Denial-of-Service Vulnerability
- IPS Version: 3.6.2 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Vulnerabilities
- Severity: High
- Description: This filter detects an attempt to exploit a denial-of-service vulnerability in OpenLDAP.
- Deployments:
- Deployment: Security-Optimized (Block / Notify)
- References:
- Common Vulnerabilities and Exposures: CVE-2020-36222 CVSS 5.0
- Classification: Vulnerability - Denial of Service (Crash/Reboot)
- Protocol: LDAP
- Platform: Multi-Platform Server Application or Service
- Release Date: March 02, 2021
39048: HTTP: WordPress Code Snippets Plugin CSRF Vulnerability
- IPS Version: 3.6.2 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Vulnerabilities
- Severity: High
- Description: This filter detects an attempt to exploit a CSRF vulnerability in the WordPress Code Snippets Plugin.
- Deployments:
- Deployment: Security-Optimized (Block / Notify)
- References:
- Common Vulnerabilities and Exposures: CVE-2020-8417
- Classification: Vulnerability - Other
- Protocol: HTTP
- Platform: Multi-Platform Server Application or Service
- Release Date: March 02, 2021
39074: HTTP: GitLab import_url CRLF Injection Vulnerability
- IPS Version: 3.6.2 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Vulnerabilities
- Severity: Critical
- Description: This filter detects an attempt to exploit a CRLF injection vulnerability in Gitlab.
- Deployments:
- Deployment: Security-Optimized (Block / Notify)
- References:
- Common Vulnerabilities and Exposures: CVE-2018-19585
- Classification: Vulnerability - Other
- Protocol: Other Protocol
- Platform: Other Server Application or Service
- Release Date: March 02, 2021
39077: TCP: VMware vSphere Client vropspluginui Code Execution Vulnerability
- IPS Version: 3.6.2 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Exploits
- Severity: Critical
- Description: This filter detects an attempt to exploit a code execution vulnerability in VMware vSphere Client.
- Deployments:
- Deployment: Security-Optimized (Block / Notify)
- References:
- Common Vulnerabilities and Exposures: CVE-2021-21972
- Classification: Vulnerability - Input Validation (Command injection, XSS, SQL injection, etc)
- Protocol: TCP (Generic)
- Platform: Multi-Platform Client Application
- Release Date: March 02, 2021
39078: TCP: VMware vSphere Client Suspicious statsreport Usage
- IPS Version: 3.6.2 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Security Policy
- Severity: Moderate
- Description: This filter detects a suspicious statsreport request in VMware vSphere Client.
- Deployment: Not enabled by default in any deployment.
- References:
- Common Vulnerabilities and Exposures: CVE-2021-21972
- Classification: Security Policy - Forbidden Application Access or Service Request
- Protocol: TCP (Generic)
- Platform: Multi-Platform Client Application
- Release Date: March 02, 2021
Modified Filters (logic changes):
* = Enabled in Default deployments
34932: HTTP: Micro Focus Operations Bridge Manager Deserialization Vulnerability (Multiple ZDI Cases)
- IPS Version: 3.6.2 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "34932: ZDI-CAN-11200,11381-9,11390-9,11400-11417: Zero Day Initiative Vulnerability (Micro Focus)".
- Description updated.
- Detection logic updated.
- Vulnerability references updated.
- Release Date: July 07, 2020
- Last Modified Date: March 02, 2021
38159: HTTP: Schneider Electric EcoStruxure Power Build SSD File Use-After-Free Vulnerability (ZDI-21-186)
- IPS Version: 3.6.2 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "38159: ZDI-CAN-11849: Zero Day Initiative Vulnerability (Schneider Electric EcoStruxure)".
- Description updated.
- Detection logic updated.
- Vulnerability references updated.
- Release Date: September 22, 2020
- Last Modified Date: March 02, 2021
38160: HTTP: Schneider Electric EcoStruxure Power Build SSD File Buffer Overflow Vulnerability (ZDI-21-187)
- IPS Version: 3.6.2 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "38160: ZDI-CAN-11850: Zero Day Initiative Vulnerability (Schneider Electric EcoStruxure)".
- Description updated.
- Detection logic updated.
- Vulnerability references updated.
- Release Date: September 22, 2020
- Last Modified Date: March 02, 2021
38527: HTTP: Advantech iView UserServlet SQL Injection Vulnerability (ZDI-21-188)
- IPS Version: 3.6.2 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "38527: ZDI-CAN-12095: Zero Day Initiative Vulnerability (Advantech iView)".
- Severity changed from "Critical" to "High".
- Description updated.
- Detection logic updated.
- Vulnerability references updated.
- Release Date: December 08, 2020
- Last Modified Date: March 02, 2021
38528: HTTP: Advantech iView CommandServlet Directory Traversal Vulnerability (ZDI-21-189)
- IPS Version: 3.6.2 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "38528: ZDI-CAN-12096: Zero Day Initiative Vulnerability (Advantech iView)".
- Severity changed from "Critical" to "High".
- Description updated.
- Detection logic updated.
- Vulnerability references updated.
- Release Date: December 08, 2020
- Last Modified Date: March 02, 2021
38587: HTTP: Advantech iView NetworkServlet ztp_config_name SQL Injection Vulnerability (ZDI-21-190)
- IPS Version: 3.6.2 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "38587: ZDI-CAN-12343: Zero Day Initiative Vulnerability (Advantech iView)".
- Severity changed from "Critical" to "High".
- Description updated.
- Detection logic updated.
- Vulnerability references updated.
- Release Date: December 15, 2020
- Last Modified Date: March 02, 2021
38588: HTTP: Advantech iView UserServlet SQL Injection Vulnerability (ZDI-21-191)
- IPS Version: 3.6.2 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "38588: ZDI-CAN-12344: Zero Day Initiative Vulnerability (Advantech iView)".
- Severity changed from "Critical" to "High".
- Description updated.
- Detection logic updated.
- Vulnerability references updated.
- Release Date: December 15, 2020
- Last Modified Date: March 02, 2021
Modified Filters (metadata changes only):
* = Enabled in Default deployments
38833: HTTP: SAP Solution Manager stopScript SOAP Request
- IPS Version: 3.6.2 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "38833: HTTP: SAP Solution Manager stopScript SOAP Request (ATT&CK T1070.004)".
- Vulnerability references updated.
- Release Date: February 09, 2021
- Last Modified Date: March 02, 2021
Removed Filters: None
Top of the Page
