TippingPoint Threat Intelligence and Zero-Day Coverage – Week of September 11, 2017

2017-09-15T14:59:53
ID TRENDMICROBLOG:5232F354244FCA9F40053F10BE385E28
Type trendmicroblog
Reporter Elisa Lippincott (TippingPoint Global Product Marketing)
Modified 2017-09-15T14:59:53

Description

In last week’s blog, I mentioned the Apache Struts vulnerability, which is still making headlines as estimates show that as many as 65 percent of Fortune 500 companies use it in some form. In addition, Equifax claims it has played a role in their breach affecting more than 143 million Americans.

On July 11, 2017, Digital Vaccine® (DV) filter 29068 (HTTP: Apache Struts 2 Struts 1 Plugin Remote Code Execution Vulnerability) was shipped to customers using TippingPoint solutions to address a vulnerability in Struts. Once the TippingPoint DVLabs team discovered the exploit code for CVE-2017-12611, it was tested and the team found that DV filter 29068 effectively covered this vulnerability while it was still a 0-day for nearly two months! Looking at data from a small percentage of customers using TippingPoint solutions, the DVLabs team has seen significant activity from filter 29068, including a mixture of both scanning/fingerprinting attempts of the vulnerability, as well as actual exploit attempts. Since this DV filter was available since July, customers have been able to use it as a virtual patch to protect their networks while they work out their process to patch the Apache vulnerability and make other system and policy adjustments.

For more information on the Apache Struts vulnerability and Trend Micro coverage, please reference the following blogs:

|

TippingPoint® Threat Management Center (TMC) and ThreatLinQ Planned System Outage Notification

Effective Sunday, September 24, 2017, Trend Micro is introducing an enhanced License Manager feature to allow for easier management of licenses for the TippingPoint Threat Protection System (TPS) family of products. In order to deploy the new feature, both the Threat Management Center (TMC) and ThreatLinQ Web sites will be intermittently unavailable during the following dates and times:

From | Time | To | Time
---|---|---|---
Friday, September 22, 2017 | 7:00 PM (CDT) | Sunday, September 24, 2017 | 8:00 PM (CDT)
Saturday, September 23, 2017 | 12:00 AM (UTC) | Monday, September 25, 2017 | 1:00 AM (UTC)

During the upgrade window, the Security Management System (SMS), Intrusion Prevention System (IPS), Next Generation Firewall (NGFW), Threat Protection System (TPS) and ArcSight Enterprise Security Manager (ESM) connectivity to the TMC will be intermittently unavailable. This will prevent Digital Vaccine (DV), Threat Digital Vaccine (ThreatDV), Reputation Security Monitor (RepSM) and TippingPoint Operating System (TOS) updates from occurring until the upgrade is completed. Customers with any questions or concerns can contact the TippingPoint Technical Assistance Center (TAC).

Microsoft Update

This week’s Digital Vaccine® (DV) package includes coverage for Microsoft updates released on or before September 12, 2017. Microsoft released a whopping 81 security patches for September covering Windows, Internet Explorer (IE), Edge, Exchange, .NET Framework, Office, and Hyper-V. 26 of the patches are listed as Critical, 53 are rated Important, and two are Moderate in severity. 10 of the Microsoft CVEs came through the Zero Day Initiative program. The following table maps Digital Vaccine filters to the Microsoft updates. Filters marked with an asterisk (*) shipped prior to this DV package, providing preemptive zero-day protection for customers. You can get more detailed information on this month’s security updates from Dustin Childs’ September 2017 Security Update Review from the Zero Day Initiative:

CVE # | Digital Vaccine Filter # | Status
---|---|---
CVE-2017-0161 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8567 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8597 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8628 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8629 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8630 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8631 | 29599 |
CVE-2017-8632 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8643 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8648 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8649 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8660 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8675 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8676 | 28226 |
CVE-2017-8677 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8678 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8679 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8680 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8681 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8682 | 29569 |
CVE-2017-8683 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8684 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8685 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8686 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8687 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8688 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8692 |
28737 |
CVE-2017-8695 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8696 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8699 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8702 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8704 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8706 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8707 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8708 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8709 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8710 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8711 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8712 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8713 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8714 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8716 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8719 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8720 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8723 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8724 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8725 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8728 | 29574 |
CVE-2017-8729 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8731 | 29577 |
CVE-2017-8733 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8734 | 29579 |
CVE-2017-8735 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8736 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8737 | 28736 |
CVE-2017-8738 |
28981 |
CVE-2017-8739 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8740 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8741 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8742 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8743 | *29153 |
CVE-2017-8744 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8745 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8746 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8747 | 29581 |
CVE-2017-8748 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8749 | 29575 |
CVE-2017-8750 | 29576 |
CVE-2017-8751 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8752 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8753 | 29573 |
CVE-2017-8754 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8755 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8756 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8757 | 29578 |
CVE-2017-8758 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-8759 | 29600 |
CVE-2017-9417 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11761 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11764 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11766 | | Vendor Deemed Reproducibility or Exploitation Unlikely

Mobile Pwn2Own 2017 Returns to Tokyo!

The Zero Day Initiative is pleased to announce the sixth annual Mobile Pwn2Own™ competition will return at this year’s PacSec conference in Tokyo on November 1-2, 2017. The tradition of crowning a Master of Pwn will also return as some of the world’s top security researchers demonstrate attacks on the most popular mobile devices. More than $500,000 USD will be available in the prize pool, with add-on bonuses for exploits that meet a higher bar of difficulty. For details on targets and challenges as well as the complete set of rules, click here.

Zero-Day Filters

There are 18 new zero-day filters covering seven vendors in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative website.

Adobe (1)

|

  • 29584: ZDI-CAN-5034: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
    ---|---
    |

Delta (1)

|

  • 29557: HTTP: Delta Industrial Automation WPLSoft File Parser Usage (ZDI-17-698)
    ---|---
    |

Eaton (1)

|

  • 29558: HTTP: Eaton ELCSoft Buffer Overflow Vulnerability (ZDI-17-519)
    ---|---
    |

Foxit (12)

|

  • 29544: ZDI-CAN-5016: Zero Day Initiative Vulnerability (Foxit Reader)
  • 29545: ZDI-CAN-5017: Zero Day Initiative Vulnerability (Foxit Reader)
  • 29546: ZDI-CAN-5018: Zero Day Initiative Vulnerability (Foxit Reader)
  • 29552: ZDI-CAN-5019: Zero Day Initiative Vulnerability (Foxit Reader)
  • 29553: ZDI-CAN-5020,5027,5029: Zero Day Initiative Vulnerability (Foxit Reader)
  • 29555: ZDI-CAN-5021: Zero Day Initiative Vulnerability (Foxit Reader)
  • 29556: ZDI-CAN-5022: Zero Day Initiative Vulnerability (Foxit Reader)
  • 29559: ZDI-CAN-5023: Zero Day Initiative Vulnerability (Foxit Reader)
  • 29563: ZDI-CAN-5024: Zero Day Initiative Vulnerability (Foxit Reader)
  • 29564: ZDI-CAN-5025: Zero Day Initiative Vulnerability (Foxit Reader)
  • 29565: ZDI-CAN-5026: Zero Day Initiative Vulnerability (Foxit Reader)
  • 29566: ZDI-CAN-5028: Zero Day Initiative Vulnerability (Foxit Reader)
    ---|---
    |

Mitsubishi Electric (1)

|

  • 29448: HTTP: Mitsubishi Electric E-Designer SetupAlarm Font Buffer Overflow Vulnerability (ZDI-17-508)
    ---|---
    |

Schneider Electric (1)

|

  • 29550: HTTP: Schneider Electric U.motion Builder SOAP Request SQL Command Execution (ZDI-17-387)
    ---|---
    |

Trend Micro (1)

|

  • 29452: HTTP: Trend Micro Control Manager cgiShowClientAdm Authentication Request (ZDI-17-244)
    ---|---
    |

Missed Last Week’s News?

Catch up on last week’s news in my weekly recap.