During the DefCon Conference last week, a Windows SMB vulnerability was revealed by researchers from RiskSense. The 20-year-old bug can be found in Windows 2000 up to Windows 10. Microsoft has indicated that it will not be issuing a patch for the vulnerability as it doesn’t meet their bar for servicing in a security update. Earlier this week, we released DVToolkit CSW file SMBLoris.csw to customers using TippingPoint solutions. This custom filter detects an attempt to exploit a denial-of-service vulnerability in Windows SMB and Unix/Linux Samba servers. The vulnerability is triggered by sending a specially crafted NBSS packet resulting in a denial-of-service. SMBLoris is categorized as a memory exhaustion vulnerability.

Customers should note that this filter should only be enabled for suspected denial-of-service attacks in conjunction with IPS thresholding and a tuned number of occurrences in order to eliminate false positives on legitimate requests. The proper setting for number of hits on this filter should be customized for the customer’s environment. For more details, visit https://smbloris.com.

Customers who have questions or need technical assistance on any Trend Micro TippingPoint product can contact the Trend Micro TippingPoint Technical Assistance Center (TAC).

Zero-Day Filters

There is one new zero-day filter covering one vendor in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative website.

Apple (1)

28985: HTTP: Array concat Method Usage with Suspiciously Big Arrays (ZDI-17-350)

Missed Last Week’s News?

Catch up on last week’s news in my weekly recap.