TippingPoint Threat Intelligence and Zero-Day Coverage – Week of December 11, 2017

2017-12-15T16:06:45
ID TRENDMICROBLOG:83CF76ED2F779A162F6FE7688839D2BF
Type trendmicroblog
Reporter Elisa Lippincott (TippingPoint Global Product Marketing)
Modified 2017-12-15T16:06:45

Description

If you read my weekly blog or follow me on Twitter, you know that I’m a huge sports fan. Unfortunately, when you don’t live in the town of your favorite team, you can be subject to blackout rules. So, my husband and I decided to purchase NFL Sunday Ticket from DirecTV. Fast forward to a couple of years ago – I wanted to watch my team play, but the channel that the game was supposed to be on was showing another game featuring my least favorite team instead. Needless to say, I was a little upset. I called DirecTV and I wasn’t shy about my feelings on the situation. The customer service representative put me on hold to figure out the problem. Why wasn’t I able to see my game? The game was already over. I’m sure the team at DirecTV had a big laugh over my mistake, but I owned up to it and apologized to the representative.

When a vulnerability is submitted to the Zero Day Initiative (ZDI), the affected vendor is given 120 days to take action to patch the vulnerability. If the deadline is not met, the ZDI will publicly disclose the vulnerability in accordance with its disclosure policy. Earlier this week, the Zero Day Initiative (ZDI) published a zero-day vulnerability as a result of a vendor not patching a vulnerability. One of our internal researchers, Ricky Lawshae, submitted a vulnerability to the Zero Day Initiative in mid-June of this year involving equipment that DirecTV uses with its Wireless Genie devices. The affected equipment is a Linksys WVBR0-25 which is used as a wireless video bridge. Ricky reviewed the scripts running on the Linksys device and found one that he could to inject additional commands. He was able to implement a root shell on the box in less than 30 seconds by exploiting this command injection vulnerability, which ultimately granted him full remote unauthenticated administrator control over the device. The ZDI attempted to contact the vendor several times regarding the vulnerability but never received a reply. The ZDI informed Linksys that the vulnerability would be published on December 12, 2017. You can read Ricky’s blog to get more details on this vulnerability as well as view a video of the exploit in action.Microsoft Update

This week’s Digital Vaccine® (DV) package includes coverage for Microsoft updates released on or before December 12, 2017. Security patches were released by Microsoft covering Internet Explorer (IE), Edge, Windows, Office, SharePoint, and Exchange. Three of the Microsoft CVEs came through the ZDI program. The following table maps Digital Vaccine filters to the Microsoft updates. Filters marked with an asterisk (*) shipped prior to this DV package, providing preemptive zero-day protection for customers. You can get more detailed information on this month’s security updates from Dustin Childs’ December 2017 Security Update Review from the Zero Day Initiative:

CVE # | Digital Vaccine Filter # | Status
---|---|---
CVE-2017-11885 | 30092 |
CVE-2017-11886 | 30069 |
CVE-2017-11887 | 20792 |
CVE-2017-11888 | 30070 |
CVE-2017-11889 | 30075 |
CVE-2017-11890 | 30068 |
CVE-2017-11893 | 30076 |
CVE-2017-11894 | 30077 |
CVE-2017-11895 | 30078 |
CVE-2017-11899 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11901 | 29900 |
CVE-2017-11903 | 30079 |
CVE-2017-11905 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11906 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11907 | 30081 |
CVE-2017-11908 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11909 | 30082 |
CVE-2017-11910 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11911 | 30083 |
CVE-2017-11912 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11913 |
29786 |
CVE-2017-11914 | 30080 |
CVE-2017-11916 | 30085 |
CVE-2017-11918 | 30074 |
CVE-2017-11919 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11927 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11930 | 30086 |
CVE-2017-11932 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11934 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11935 | 30088 |
CVE-2017-11936 | | Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11937 | 30093 |
CVE-2017-11939 | | Vendor Deemed Reproducibility or Exploitation Unlikely

End of Support Bulletin

Earlier this week, we announced the end of support for a number of TippingPoint software releases across various models.

Date of Announcement: December 12, 2017

Affected IPS (N/NX-Series) TOS Versions: 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.9.0, 3.9.1

End of Engineering: March 31, 2018

End of Support: December 31, 2018

Affected IPS (S-Series) TOS Versions: 3.6.4, 3.6.5, 3.6.6

End of Engineering: March 31, 2018

End of Support: December 31, 2018

Affected TPS TOS Versions: 4.0.2, 4.1.0, 4.1.1, 4.1.2, 4.2.0

End of Engineering: March 31, 2018

End of Support: December 31, 2018

Affected SMS TOS Versions: 4.4.0

End of Engineering: March 31, 2018

End of Support: December 31, 2018

Factory Release of TPS 5.0.0: October 16, 2017

Factory Release of SMS 5.0.0: March 31, 2018

Factory Release of IPS 3.8.4: March 31, 2018

Customers with any questions or need assistance with migration planning can contact the TippingPoint Technical Assistance Center. Release notes are also available on <https://tmc.tippingpoint.com>.

Zero-Day Filters

There are no new zero-day filters in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative website. You can also follow the Zero Day Initiative on Twitter @thezdi and on their blog.

Updated Existing Zero-Day Filters

This section highlights specific filter(s) of interest in this week’s Digital Vaccine package that have been updated as a result of a vendor either issuing a patch for a vulnerability found via the Zero Day Initiative or a vulnerability that has been published by the Zero Day Initiative in accordance with its Disclosure Policy.

This week’s updated zero-day filters focus on two of the vulnerabilities from this month’s Microsoft update. The updated filters reflect the fact that the vulnerabilities have been published because Microsoft has issued patches for them. The dates in parentheses after each filter reflects the date we had protection in place for our customers:

Microsoft (2)

• 29900: HTTP: Microsoft Chakra Javascript Array JIT Optimization Type Confusion Vulnerability (November 7, 2017)

• 29786: HTTP: Microsoft Windows VBScript VT_BSTR Use-After-Free Vulnerability (October 24, 2017)

Missed Last Week’s News?

Catch up on last week’s news in my weekly recap.