TippingPoint Threat Intelligence and Zero-Day Coverage – Week of May 2, 2016

Datetime:2016-08-23 00:16:13          Topic: SQL Injection           Share

I was on vacation earlier this week, enjoying the beautiful, sandy beaches of Cancun, Mexico. Needless to say, it can be a little difficult to think about network security when your waiter keeps bringing you delicious margaritas. But when you’ve been in this industry long enough, you can’t help but think about it. It’s so easy to loosen your guard when you’re on vacation. One margarita turns into another…and another, and before you know it, your checking account is empty.

Don’t worry, my checking account is safe (for now) but for many tourists in Cancun, they may find themselves without a dime. I always wondered about the stand-alone ATMs near the dance clubs so I decided to investigate. It turns out I didn’t have to do any investigation at all. Brian Krebs went to Mexico and found last year and found plenty of shenanigans around Bluetooth skimmers in ATMs. He found several hacked ATMs with two Bluetooth components: one connected to the card reader inside each machine, and another attached to the PIN pad. Thieves can retrieve the purloined card and PIN data just by strolling up to the hacked ATM with a smartphone, entering a secret passcode, and downloading all of the collected information. It’s like I’ve always said, hackers never take vacations and your security shouldn’t either. So the next time you’re on vacation, be a little paranoid. Be a little leery of that “free” Wi-Fi or that stand-alone ATM. And don’t forget to tip your waiters and waitresses!

TippingPoint Operating System (TOS) 3.8.3 Released

Last week, we released version 3.8.3 build 4493 of the TippingPoint Operating System (TOS) for the N/NX Platform family of next-generation IPS devices.

TOS v3.8.3 is a maintenance release that includes the following changes:

  • When inserting a Small Form-factor Pluggable (SFP) transceiver, the vendor name and part number information is included in the system log messages.
  • The number of reputation entries installed on the device is now displayed in the Tech Support Report (TSR).
  • New CLI command “show np packet-size” was added. This command displays the RX and TX packet count by size across all network ports.
  • An email server entered on a device can now be deleted by using the “ System >Email Server” page on the LSM interface or by using the “ conf t default-alert-sink server none” command in the CLI.

Important Notes:

  • SMS v4.2.0 or higher is required to manage devices running TOS v3.8.3.
  • A minimum of TOS v3.6.4 is required before upgrading to TOS v3.8.3.
  • Prior to performing any upgrade, refer to the version Release Notes for migration planning.

For the complete list of enhancements and changes, customers can refer to the product release notes. For release notes, product documentation, or for questions or technical assistance, TippingPoint customers can visit the Threat Management Center (TMC) website at https://tmc.tippingpoint.com .  

Missed Last Week’s News?

Catch up on last week’s news in myweekly recap posted on the Trend Micro Simply Security blog !

Zero-Day Filters

There are 21 new zero-day filters covering nine vendors in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative web site.

Adobe (4)

  • 24472: ZDI-CAN-3656: Zero Day Initiative Vulnerability (Adobe Reader DC)
  • 24477: ZDI-CAN-3663: Zero Day Initiative Vulnerability (Adobe Acrobat Reader DC)
  • 24478: ZDI-CAN-3664: Zero Day Initiative Vulnerability (Adobe Digital Editions)
  • 24499: ZDI-CAN-3699: Zero Day Initiative Vulnerability (Adobe Acrobat Reader DC)

Advantech (3)

  • 24489: ZDI-CAN-3679: Zero Day Initiative Vulnerability (Advantech WebAccess)
  • 24490: ZDI-CAN-3679: Zero Day Initiative Vulnerability (Advantech WebAccess)
  • 24500: ZDI-CAN-3703: Zero Day Initiative Vulnerability (Advantech WebOP Designer)

Apple (1)

  • 24484: ZDI-CAN-3576: Zero Day Initiative Vulnerability (Apple Safari)

Eaton (1)

  • 24488: ZDI-CAN-3675: Zero Day Initiative Vulnerability (Eaton ELCSoft)

Eclipse (1)

  • 24494: ZDI-CAN-3696, ZDI-CAN-3707: Zero Day Initiative Vulnerability (Eclipse Jetty)

Foxit (2)

  • 24474: ZDI-CAN-3657: Zero Day Initiative Vulnerability (Foxit Reader)
  • 24493: ZDI-CAN-3686: Zero Day Initiative Vulnerability (Foxit Reader)

Microsoft (7)

  • 24473: ZDI-CAN-3650, ZDI-CAN-3651: Zero Day Initiative Vulnerability (Microsoft Edge)
  • 24475: ZDI-CAN-3658, ZDI-CAN-3660, ZDI-CAN-3661: Zero Day Initiative Vulnerability (Microsoft Edge)
  • 24483: ZDI-CAN-3665: Zero Day Initiative Vulnerability (Microsoft Edge)
  • 24485: ZDI-CAN-3667: Zero Day Initiative Vulnerability (Microsoft Internet Explorer)
  • 24486: ZDI-CAN-3666: Zero Day Initiative Vulnerability (Microsoft Internet Explorer)
  • 24491: ZDI-CAN-3682: Zero Day Initiative Vulnerability (Microsoft 3D Builder)
  • 24504: ZDI-CAN-3668: Zero Day Initiative Vulnerability (Microsoft Internet Explorer)

Oracle (1)

  • 24479: ZDI-CAN-3591: Zero Day Initiative Vulnerability (Oracle WebLogic)  

Schneider Electric (1)

  • 24487: ZDI-CAN-3670: Zero Day Initiative Vulnerability (Schneider Electric U.motion Builder)

Updated Existing Zero-Day Filters

This section highlights specific filter(s) of interest in this week’s Digital Vaccine package that have been updated as a result of a vendor either issuing a patch for a vulnerability found via the Zero Day Initiative or a vulnerability that has been published by the Zero Day Initiative in accordance with its Disclosure Policy .

A few of the updated filters are for IntegraXor, a suite of tools from Ecava used to create and run a web-based human-machine interface for a SCADA system. Ecava has produced a new release that addresses the reported vulnerabilities, as well as some identified security risks, in Version 5.0, build 4522. For more information, visit http://www.integraxor.com/download/beta.msi?5.0.4522.2 and https://ics-cert.us-cert.gov/advisories/ICSA-16-105-03 .

  • 21188: HTTP: Ecava IntegraXor Report batchlist SQL Injection Vulnerability ( ZDI-16-239 )
  • 21190: HTTP: Ecava IntegraXor Report summary SQL Injection Vulnerability ( ZDI-16-238 )
  • 21191: HTTP: Ecava IntegraXor Report batch SQL Injection Vulnerability ( ZDI-16-240 )
  • 21192: HTTP: Ecava IntegraXor Report summary_opt SQL Injection Vulnerability ( ZDI-16-236 )
  • 21193: HTTP: Ecava IntegraXor Report save SQL Injection Vulnerability ( ZDI-16-237 )




About List