TippingPoint Threat Intelligence and Zero-Day Coverage – Week of December 11, 2017

Credit to Author: Elisa Lippincott (TippingPoint Global Product Marketing)| Date: Fri, 15 Dec 2017 16:06:45 +0000

If you read my weekly blog or follow me on Twitter, you know that I’m a huge sports fan. Unfortunately, when you don’t live in the town of your favorite team, you can be subject to blackout rules. So, my husband and I decided to purchase NFL Sunday Ticket from DirecTV. Fast forward to a couple of years ago – I wanted to watch my team play, but the channel that the game was supposed to be on was showing another game featuring my least favorite team instead. Needless to say, I was a little upset. I called DirecTV and I wasn’t shy about my feelings on the situation. The customer service representative put me on hold to figure out the problem. Why wasn’t I able to see my game? The game was already over. I’m sure the team at DirecTV had a big laugh over my mistake, but I owned up to it and apologized to the representative.

When a vulnerability is submitted to the Zero Day Initiative (ZDI), the affected vendor is given 120 days to take action to patch the vulnerability. If the deadline is not met, the ZDI will publicly disclose the vulnerability in accordance with its disclosure policy. Earlier this week, the Zero Day Initiative (ZDI) published a zero-day vulnerability as a result of a vendor not patching a vulnerability. One of our internal researchers, Ricky Lawshae, submitted a vulnerability to the Zero Day Initiative in mid-June of this year involving equipment that DirecTV uses with its Wireless Genie devices. The affected equipment is a Linksys WVBR0-25 which is used as a wireless video bridge. Ricky reviewed the scripts running on the Linksys device and found one that he could to inject additional commands. He was able to implement a root shell on the box in less than 30 seconds by exploiting this command injection vulnerability, which ultimately granted him full remote unauthenticated administrator control over the device. The ZDI attempted to contact the vendor several times regarding the vulnerability but never received a reply. The ZDI informed Linksys that the vulnerability would be published on December 12, 2017. You can read Ricky’s blog to get more details on this vulnerability as well as view a video of the exploit in action.Microsoft Update

This week’s Digital Vaccine® (DV) package includes coverage for Microsoft updates released on or before December 12, 2017. Security patches were released by Microsoft covering Internet Explorer (IE), Edge, Windows, Office, SharePoint, and Exchange. Three of the Microsoft CVEs came through the ZDI program. The following table maps Digital Vaccine filters to the Microsoft updates. Filters marked with an asterisk (*) shipped prior to this DV package, providing preemptive zero-day protection for customers. You can get more detailed information on this month’s security updates from Dustin Childs’ December 2017 Security Update Review from the Zero Day Initiative:

CVE # Digital Vaccine Filter # Status
CVE-2017-11885 30092
CVE-2017-11886 30069
CVE-2017-11887 20792
CVE-2017-11888 30070
CVE-2017-11889 30075
CVE-2017-11890 30068
CVE-2017-11893 30076
CVE-2017-11894 30077
CVE-2017-11895 30078
CVE-2017-11899 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11901 *29900
CVE-2017-11903 30079
CVE-2017-11905 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11906 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11907 30081
CVE-2017-11908 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11909 30082
CVE-2017-11910 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11911 30083
CVE-2017-11912 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11913 *29786
CVE-2017-11914 30080
CVE-2017-11916 30085
CVE-2017-11918 30074
CVE-2017-11919 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11927 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11930 30086
CVE-2017-11932 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11934 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11935 30088
CVE-2017-11936 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2017-11937 30093
CVE-2017-11939 Vendor Deemed Reproducibility or Exploitation Unlikely

 

End of Support Bulletin

Earlier this week, we announced the end of support for a number of TippingPoint software releases across various models.

Date of Announcement: December 12, 2017

 

Affected IPS (N/NX-Series) TOS Versions: 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.9.0, 3.9.1

End of Engineering: March 31, 2018

End of Support: December 31, 2018

 

Affected IPS (S-Series) TOS Versions: 3.6.4, 3.6.5, 3.6.6

End of Engineering: March 31, 2018

End of Support: December 31, 2018

 

Affected TPS TOS Versions: 4.0.2, 4.1.0, 4.1.1, 4.1.2, 4.2.0

End of Engineering: March 31, 2018

End of Support: December 31, 2018

 

Affected SMS TOS Versions: 4.4.0

End of Engineering: March 31, 2018

End of Support: December 31, 2018

 

Factory Release of TPS 5.0.0: October 16, 2017

Factory Release of SMS 5.0.0: March 31, 2018

Factory Release of IPS 3.8.4: March 31, 2018

Customers with any questions or need assistance with migration planning can contact the TippingPoint Technical Assistance Center. Release notes are also available on https://tmc.tippingpoint.com.

Zero-Day Filters

There are no new zero-day filters in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative website. You can also follow the Zero Day Initiative on Twitter @thezdi and on their blog.

Updated Existing Zero-Day Filters

This section highlights specific filter(s) of interest in this week’s Digital Vaccine package that have been updated as a result of a vendor either issuing a patch for a vulnerability found via the Zero Day Initiative or a vulnerability that has been published by the Zero Day Initiative in accordance with its Disclosure Policy.

This week’s updated zero-day filters focus on two of the vulnerabilities from this month’s Microsoft update. The updated filters reflect the fact that the vulnerabilities have been published because Microsoft has issued patches for them. The dates in parentheses after each filter reflects the date we had protection in place for our customers:

Microsoft (2)

•  29900: HTTP: Microsoft Chakra Javascript Array JIT Optimization Type Confusion Vulnerability (November 7, 2017)

• 29786: HTTP: Microsoft Windows VBScript VT_BSTR Use-After-Free Vulnerability (October 24, 2017)

Missed Last Week’s News?

Catch up on last week’s news in my weekly recap.

http://feeds.trendmicro.com/TrendMicroSimplySecurity