In last week’s blog, I mentioned the Apache Struts vulnerability, which is still making headlines as estimates show that as many as 65 percent of Fortune 500 companies use it in some form. In addition, Equifax claims it has played a role in their breach affecting more than 143 million Americans.

On July 11, 2017, Digital Vaccine® (DV) filter 29068 (HTTP: Apache Struts 2 Struts 1 Plugin Remote Code Execution Vulnerability) was shipped to customers using TippingPoint solutions to address a vulnerability in Struts. Once the TippingPoint DVLabs team discovered the exploit code for CVE-2017-12611, it was tested and the team found that DV filter 29068 effectively covered this vulnerability while it was still a 0-day for nearly two months! Looking at data from a small percentage of customers using TippingPoint solutions, the DVLabs team has seen significant activity from filter 29068, including a mixture of both scanning/fingerprinting attempts of the vulnerability, as well as actual exploit attempts. Since this DV filter was available since July, customers have been able to use it as a virtual patch to protect their networks while they work out their process to patch the Apache vulnerability and make other system and policy adjustments.

For more information on the Apache Struts vulnerability and Trend Micro coverage, please reference the following blogs:

TippingPoint® Threat Management Center (TMC) and ThreatLinQ Planned System Outage Notification

Effective Sunday, September 24, 2017, Trend Micro is introducing an enhanced License Manager feature to allow for easier management of licenses for the TippingPoint Threat Protection System (TPS) family of products. In order to deploy the new feature, both the Threat Management Center (TMC) and ThreatLinQ Web sites will be intermittently unavailable during the following dates and times:

From Time To Time Friday, September 22, 2017 7:00 PM (CDT) Sunday, September 24, 2017 8:00 PM (CDT) Saturday, September 23, 2017 12:00 AM (UTC) Monday, September 25, 2017 1:00 AM (UTC)

During the upgrade window, the Security Management System (SMS), Intrusion Prevention System (IPS), Next Generation Firewall (NGFW), Threat Protection System (TPS) and ArcSight Enterprise Security Manager (ESM) connectivity to the TMC will be intermittently unavailable. This will prevent Digital Vaccine (DV), Threat Digital Vaccine (ThreatDV), Reputation Security Monitor (RepSM) and TippingPoint Operating System (TOS) updates from occurring until the upgrade is completed. Customers with any questions or concerns can contact the TippingPoint Technical Assistance Center (TAC).

Microsoft Update

This week’s Digital Vaccine® (DV) package includes coverage for Microsoft updates released on or before September 12, 2017. Microsoft released a whopping 81 security patches for September covering Windows, Internet Explorer (IE), Edge, Exchange, .NET Framework, Office, and Hyper-V. 26 of the patches are listed as Critical, 53 are rated Important, and two are Moderate in severity. 10 of the Microsoft CVEs came through the Zero Day Initiative program. The following table maps Digital Vaccine filters to the Microsoft updates. Filters marked with an asterisk (*) shipped prior to this DV package, providing preemptive zero-day protection for customers. You can get more detailed information on this month’s security updates from Dustin Childs’ September 2017 Security Update Review from the Zero Day Initiative:

CVE # Digital Vaccine Filter # Status CVE-2017-0161 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8567 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8597 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8628 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8629 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8630 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8631 29599 CVE-2017-8632 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8643 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8648 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8649 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8660 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8675 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8676 *28226 CVE-2017-8677 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8678 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8679 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8680 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8681 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8682 29569 CVE-2017-8683 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8684 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8685 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8686 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8687 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8688 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8692 *28737 CVE-2017-8695 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8696 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8699 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8702 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8704 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8706 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8707 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8708 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8709 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8710 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8711 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8712 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8713 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8714 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8716 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8719 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8720 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8723 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8724 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8725 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8728 29574 CVE-2017-8729 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8731 29577 CVE-2017-8733 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8734 29579 CVE-2017-8735 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8736 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8737 *28736 CVE-2017-8738 *28981 CVE-2017-8739 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8740 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8741 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8742 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8743 *29153 CVE-2017-8744 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8745 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8746 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8747 29581 CVE-2017-8748 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8749 29575 CVE-2017-8750 29576 CVE-2017-8751 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8752 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8753 29573 CVE-2017-8754 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8755 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8756 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8757 29578 CVE-2017-8758 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-8759 29600 CVE-2017-9417 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11761 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11764 Vendor Deemed Reproducibility or Exploitation Unlikely CVE-2017-11766 Vendor Deemed Reproducibility or Exploitation Unlikely

Mobile Pwn2Own 2017 Returns to Tokyo!

The Zero Day Initiative is pleased to announce the sixth annual Mobile Pwn2Own™ competition will return at this year’s PacSec conference in Tokyo on November 1-2, 2017. The tradition of crowning a Master of Pwn will also return as some of the world’s top security researchers demonstrate attacks on the most popular mobile devices. More than $500,000 USD will be available in the prize pool, with add-on bonuses for exploits that meet a higher bar of difficulty. For details on targets and challenges as well as the complete set of rules, click here.

Zero-Day Filters

There are 18 new zero-day filters covering seven vendors in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative website.

Adobe (1)

29584: ZDI-CAN-5034: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)

Delta (1)

29557: HTTP: Delta Industrial Automation WPLSoft File Parser Usage (ZDI-17-698)

Eaton (1)

29558: HTTP: Eaton ELCSoft Buffer Overflow Vulnerability (ZDI-17-519)

Foxit (12)

29544: ZDI-CAN-5016: Zero Day Initiative Vulnerability (Foxit Reader)

29545: ZDI-CAN-5017: Zero Day Initiative Vulnerability (Foxit Reader)

29546: ZDI-CAN-5018: Zero Day Initiative Vulnerability (Foxit Reader)

29552: ZDI-CAN-5019: Zero Day Initiative Vulnerability (Foxit Reader)

29553: ZDI-CAN-5020,5027,5029: Zero Day Initiative Vulnerability (Foxit Reader)

29555: ZDI-CAN-5021: Zero Day Initiative Vulnerability (Foxit Reader)

29556: ZDI-CAN-5022: Zero Day Initiative Vulnerability (Foxit Reader)

29559: ZDI-CAN-5023: Zero Day Initiative Vulnerability (Foxit Reader)

29563: ZDI-CAN-5024: Zero Day Initiative Vulnerability (Foxit Reader)

29564: ZDI-CAN-5025: Zero Day Initiative Vulnerability (Foxit Reader)

29565: ZDI-CAN-5026: Zero Day Initiative Vulnerability (Foxit Reader)

29566: ZDI-CAN-5028: Zero Day Initiative Vulnerability (Foxit Reader)

Mitsubishi Electric (1)

29448: HTTP: Mitsubishi Electric E-Designer SetupAlarm Font Buffer Overflow Vulnerability (ZDI-17-508)

Schneider Electric (1)

29550: HTTP: Schneider Electric U.motion Builder SOAP Request SQL Command Execution (ZDI-17-387)

Trend Micro (1)

29452: HTTP: Trend Micro Control Manager cgiShowClientAdm Authentication Request (ZDI-17-244)

Missed Last Week’s News?

Catch up on last week’s news in my weekly recap.