TippingPoint Threat Intelligence and Zero-Day Coverage – Week of December 11, 2017
Credit to Author: Elisa Lippincott (TippingPoint Global Product Marketing)| Date: Fri, 15 Dec 2017 16:06:45 +0000
If you read my weekly blog or follow me on Twitter, you know that I’m a huge sports fan. Unfortunately, when you don’t live in the town of your favorite team, you can be subject to blackout rules. So, my husband and I decided to purchase NFL Sunday Ticket from DirecTV. Fast forward to a couple of years ago – I wanted to watch my team play, but the channel that the game was supposed to be on was showing another game featuring my least favorite team instead. Needless to say, I was a little upset. I called DirecTV and I wasn’t shy about my feelings on the situation. The customer service representative put me on hold to figure out the problem. Why wasn’t I able to see my game? The game was already over. I’m sure the team at DirecTV had a big laugh over my mistake, but I owned up to it and apologized to the representative.
When a vulnerability is submitted to the Zero Day Initiative (ZDI), the affected vendor is given 120 days to take action to patch the vulnerability. If the deadline is not met, the ZDI will publicly disclose the vulnerability in accordance with its disclosure policy. Earlier this week, the Zero Day Initiative (ZDI) published a zero-day vulnerability as a result of a vendor not patching a vulnerability. One of our internal researchers, Ricky Lawshae, submitted a vulnerability to the Zero Day Initiative in mid-June of this year involving equipment that DirecTV uses with its Wireless Genie devices. The affected equipment is a Linksys WVBR0-25 which is used as a wireless video bridge. Ricky reviewed the scripts running on the Linksys device and found one that he could to inject additional commands. He was able to implement a root shell on the box in less than 30 seconds by exploiting this command injection vulnerability, which ultimately granted him full remote unauthenticated administrator control over the device. The ZDI attempted to contact the vendor several times regarding the vulnerability but never received a reply. The ZDI informed Linksys that the vulnerability would be published on December 12, 2017. You can read Ricky’s blog to get more details on this vulnerability as well as view a video of the exploit in action.Microsoft Update
This week’s Digital Vaccine® (DV) package includes coverage for Microsoft updates released on or before December 12, 2017. Security patches were released by Microsoft covering Internet Explorer (IE), Edge, Windows, Office, SharePoint, and Exchange. Three of the Microsoft CVEs came through the ZDI program. The following table maps Digital Vaccine filters to the Microsoft updates. Filters marked with an asterisk (*) shipped prior to this DV package, providing preemptive zero-day protection for customers. You can get more detailed information on this month’s security updates from Dustin Childs’ December 2017 Security Update Review from the Zero Day Initiative:
| CVE # | Digital Vaccine Filter # | Status |
| CVE-2017-11885 | 30092 | |
| CVE-2017-11886 | 30069 | |
| CVE-2017-11887 | 20792 | |
| CVE-2017-11888 | 30070 | |
| CVE-2017-11889 | 30075 | |
| CVE-2017-11890 | 30068 | |
| CVE-2017-11893 | 30076 | |
| CVE-2017-11894 | 30077 | |
| CVE-2017-11895 | 30078 | |
| CVE-2017-11899 | Vendor Deemed Reproducibility or Exploitation Unlikely | |
| CVE-2017-11901 | *29900 | |
| CVE-2017-11903 | 30079 | |
| CVE-2017-11905 | Vendor Deemed Reproducibility or Exploitation Unlikely | |
| CVE-2017-11906 | Vendor Deemed Reproducibility or Exploitation Unlikely | |
| CVE-2017-11907 | 30081 | |
| CVE-2017-11908 | Vendor Deemed Reproducibility or Exploitation Unlikely | |
| CVE-2017-11909 | 30082 | |
| CVE-2017-11910 | Vendor Deemed Reproducibility or Exploitation Unlikely | |
| CVE-2017-11911 | 30083 | |
| CVE-2017-11912 | Vendor Deemed Reproducibility or Exploitation Unlikely | |
| CVE-2017-11913 | *29786 | |
| CVE-2017-11914 | 30080 | |
| CVE-2017-11916 | 30085 | |
| CVE-2017-11918 | 30074 | |
| CVE-2017-11919 | Vendor Deemed Reproducibility or Exploitation Unlikely | |
| CVE-2017-11927 | Vendor Deemed Reproducibility or Exploitation Unlikely | |
| CVE-2017-11930 | 30086 | |
| CVE-2017-11932 | Vendor Deemed Reproducibility or Exploitation Unlikely | |
| CVE-2017-11934 | Vendor Deemed Reproducibility or Exploitation Unlikely | |
| CVE-2017-11935 | 30088 | |
| CVE-2017-11936 | Vendor Deemed Reproducibility or Exploitation Unlikely | |
| CVE-2017-11937 | 30093 | |
| CVE-2017-11939 | Vendor Deemed Reproducibility or Exploitation Unlikely |
End of Support Bulletin
Earlier this week, we announced the end of support for a number of TippingPoint software releases across various models.
Date of Announcement: December 12, 2017
Affected IPS (N/NX-Series) TOS Versions: 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.9.0, 3.9.1
End of Engineering: March 31, 2018
End of Support: December 31, 2018
Affected IPS (S-Series) TOS Versions: 3.6.4, 3.6.5, 3.6.6
End of Engineering: March 31, 2018
End of Support: December 31, 2018
Affected TPS TOS Versions: 4.0.2, 4.1.0, 4.1.1, 4.1.2, 4.2.0
End of Engineering: March 31, 2018
End of Support: December 31, 2018
Affected SMS TOS Versions: 4.4.0
End of Engineering: March 31, 2018
End of Support: December 31, 2018
Factory Release of TPS 5.0.0: October 16, 2017
Factory Release of SMS 5.0.0: March 31, 2018
Factory Release of IPS 3.8.4: March 31, 2018
Customers with any questions or need assistance with migration planning can contact the TippingPoint Technical Assistance Center. Release notes are also available on https://tmc.tippingpoint.com.
Zero-Day Filters
There are no new zero-day filters in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative website. You can also follow the Zero Day Initiative on Twitter @thezdi and on their blog.
Updated Existing Zero-Day Filters
This section highlights specific filter(s) of interest in this week’s Digital Vaccine package that have been updated as a result of a vendor either issuing a patch for a vulnerability found via the Zero Day Initiative or a vulnerability that has been published by the Zero Day Initiative in accordance with its Disclosure Policy.
This week’s updated zero-day filters focus on two of the vulnerabilities from this month’s Microsoft update. The updated filters reflect the fact that the vulnerabilities have been published because Microsoft has issued patches for them. The dates in parentheses after each filter reflects the date we had protection in place for our customers:
Microsoft (2)
• 29900: HTTP: Microsoft Chakra Javascript Array JIT Optimization Type Confusion Vulnerability (November 7, 2017)
• 29786: HTTP: Microsoft Windows VBScript VT_BSTR Use-After-Free Vulnerability (October 24, 2017)
Missed Last Week’s News?
Catch up on last week’s news in my weekly recap.