The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Trend Micro IWSS

vulnerability note 19684

Trend Micro InterScan Web Security Virtual Appliance: four vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Trend Micro InterScan Web Security Virtual Appliance.
Impacted products: InterScan Web Security Suite.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 4.
Creation date: 23/05/2016.
Identifiers: VIGILANCE-VUL-19684, ZDI-16-348, ZDI-16-349, ZDI-16-350, ZDI-16-351.

Description of the vulnerability

Several vulnerabilities were announced in Trend Micro InterScan Web Security Virtual Appliance.

An attacker can use a vulnerability via ManagePatches, in order to run code. [severity:3/4; ZDI-16-348]

An attacker can use a vulnerability via /rest/testConfiguration, in order to run code. [severity:3/4; ZDI-16-349]

An attacker can use a vulnerability via /rest/wmi_domain_controllers, in order to run code. [severity:3/4; ZDI-16-350]

An attacker can use a vulnerability via /rest/domains, in order to run code. [severity:3/4; ZDI-16-351]
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2014-8510

Trend Micro InterScan Web Security: file reading via AdminUI

Synthesis of the vulnerability

An attacker can read files via the administration Web application of Trend Micro InterScan Web Security, in order to obtain sensitive information.
Impacted products: InterScan Web Security Suite.
Severity: 2/4.
Consequences: data reading.
Provenance: user account.
Creation date: 07/11/2014.
Identifiers: CVE-2014-8510, VIGILANCE-VUL-15610, ZDI-14-373.

Description of the vulnerability

The Trend Micro InterScan Web Security product provides an administration Web application.

However, an authenticated user can insert file paths into some fields of the man machine interface, in order to get the content of any file readable by the Web server.

An attacker can therefore read files via the administration Web application of Trend Micro InterScan Web Security, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2014-0224

OpenSSL: man in the middle via ChangeCipherSpec

Synthesis of the vulnerability

An attacker can act as a man in the middle between a client and a server using OpenSSL, in order to read or alter exchanged data.
Impacted products: ArubaOS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, GAiA, CheckPoint IP Appliance, IPSO, Provider-1, SecurePlatform, CheckPoint Security Appliance, CheckPoint Security Gateway, Cisco ASR, Cisco ATA, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, CiscoWorks, Cisco Content SMA, Cisco CSS, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort Email, IronPort Management, IronPort Web, Nexus by Cisco, NX-OS, Prime Collaboration Assurance, Prime Collaboration Manager, Prime Infrastructure, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Cisco Unity ~ precise, WebNS, Cisco WSA, Clearswift Web Gateway, Debian, Avamar, EMC CAVA, EMC CEE, EMC CEPA, Celerra FAST, Celerra NS, Celerra NX4, EMC CMDCE, Connectrix Switch, ECC, NetWorker, PowerPath, Unisphere EMC, VNX Operating Environment, VNX Series, BIG-IP Hardware, TMOS, Fedora, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiClient, FortiManager, FortiManager Virtual Appliance, FreeBSD, HP Operations, ProCurve Switch, HP Switch, HP-UX, AIX, Tivoli Storage Manager, WebSphere MQ, Juniper J-Series, Junos OS, Junos Pulse, Juniper Network Connect, Juniper UAC, McAfee Web Gateway, MySQL Enterprise, NetBSD, OpenBSD, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Solaris, Polycom CMA, HDX, RealPresence Collaboration Server, Polycom VBP, RHEL, JBoss EAP by Red Hat, ACE Agent, ACE Server, RSA Authentication Agent, RSA Authentication Manager, SecurID, ROS, ROX, RuggedSwitch, SIMATIC, Slackware, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Nessus, InterScan Messaging Security Suite, InterScan Web Security Suite, TrendMicro ServerProtect, Ubuntu, ESXi, vCenter Server, VMware vSphere, VMware vSphere Hypervisor, Websense Email Security, Websense Web Filter, Websense Web Security.
Severity: 3/4.
Consequences: data reading, data creation/edition, data flow.
Provenance: document.
Creation date: 05/06/2014.
Revision date: 05/06/2014.
Identifiers: 1676496, 1690827, aid-06062014, c04336637, c04347622, c04363613, CERTFR-2014-AVI-253, CERTFR-2014-AVI-254, CERTFR-2014-AVI-255, CERTFR-2014-AVI-260, CERTFR-2014-AVI-274, CERTFR-2014-AVI-279, CERTFR-2014-AVI-286, CERTFR-2014-AVI-513, cisco-sa-20140605-openssl, cpuoct2016, CTX140876, CVE-2014-0224, DOC-53313, DSA-2950-1, DSA-2950-2, FEDORA-2014-17576, FEDORA-2014-17587, FEDORA-2014-7101, FEDORA-2014-7102, FG-IR-14-018, FreeBSD-SA-14:14.openssl, HPSBHF03052, HPSBUX03046, JSA10629, MDVSA-2014:105, MDVSA-2014:106, MDVSA-2015:062, NetBSD-SA2014-006, openSUSE-SU-2014:0764-1, openSUSE-SU-2014:0765-1, openSUSE-SU-2015:0229-1, openSUSE-SU-2016:0640-1, RHSA-2014:0624-01, RHSA-2014:0625-01, RHSA-2014:0626-01, RHSA-2014:0627-01, RHSA-2014:0628-01, RHSA-2014:0629-01, RHSA-2014:0630-01, RHSA-2014:0631-01, RHSA-2014:0632-01, RHSA-2014:0633-01, RHSA-2014:0679-01, RHSA-2014:0680-01, SA40006, SA80, SB10075, sk101186, SOL15325, SPL-85063, SSA:2014-156-03, SSA-234763, SSRT101590, SUSE-SU-2014:0759-1, SUSE-SU-2014:0759-2, SUSE-SU-2014:0761-1, SUSE-SU-2014:0762-1, USN-2232-1, USN-2232-2, USN-2232-3, USN-2232-4, VIGILANCE-VUL-14844, VMSA-2014-0006, VMSA-2014-0006.1, VMSA-2014-0006.10, VMSA-2014-0006.11, VMSA-2014-0006.2, VMSA-2014-0006.3, VMSA-2014-0006.4, VMSA-2014-0006.5, VMSA-2014-0006.6, VMSA-2014-0006.7, VMSA-2014-0006.8, VMSA-2014-0006.9, VU#978508.

Description of the vulnerability

The OpenSSL product implements SSL/TLS, which uses a handshake.

However, by using a handshake with a ChangeCipherSpec message, an attacker can force the usage of weak keys.

An attacker can therefore act as a man in the middle between a client and a server using OpenSSL, in order to read or alter exchanged data.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin 11103

Trend Micro InterScan Web Security Suite: privilege elevation

Synthesis of the vulnerability

A local attacker can use the patchCmd program of Trendmicro InterScan Web Security Suite, in order to gain root privileges.
Impacted products: InterScan Web Security Suite.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user shell.
Creation date: 27/10/2011.
Identifiers: BID-50380, VIGILANCE-VUL-11103.

Description of the vulnerability

The Trend Micro InterScan Web Security Suite product installs the /opt/trend/iwss/data/patch/bin/patchCmd tool, which is used to patch and unpatch (roolback) a program. The patchCmd tool is installed suid root.

This tool calls the "./PatchExe.sh" and "./RollbackExe.sh" shell scripts. However, these scripts are run from the current directory. If the attacker created a malicious program with these names, and located in the current directory, they are thus executed with root privileges.

A local attacker can therefore use the patchCmd program of Trend Micro InterScan Web Security Suite, in order to gain root privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert 9726

Trend Micro InterScan Web Security: five vulnerabilities

Synthesis of the vulnerability

Five vulnerabilities of Trend Micro InterScan Web Security Virtual Appliance can be used by an attacker to read/alter information or to execute code.
Impacted products: InterScan Web Security Suite.
Severity: 3/4.
Consequences: administrator access/rights, user access/rights, data reading, data creation/edition.
Provenance: document.
Number of vulnerabilities in this bulletin: 5.
Creation date: 23/06/2010.
Revision date: 02/07/2010.
Identifiers: BID-41039, BID-41072, BID-41296, CYBSEC Advisory#2010-0604, CYBSEC Advisory#2010-0605, CYBSEC Advisory#2010-0606, CYBSEC Advisory#2010-0701, VIGILANCE-VUL-9726.

Description of the vulnerability

Five vulnerabilities were announced in Trend Micro InterScan Web Security Virtual Appliance.

An attacker can use a Cross Site Request Forgery in order to alter rules or to add an administrator. [severity:3/4; BID-41039]

A local attacker can use uihelper in order to execute commands as root. [severity:2/4; BID-41072, CYBSEC Advisory#2010-0604]

An attacker can use com.trend.iwss.gui.servlet.XMLRPCcert to upload a file on the server. [severity:3/4; BID-41072, CYBSEC Advisory#2010-0605]

An attacker can use com.trend.iwss.gui.servlet.exportreport to read a file. [severity:3/4; BID-41072, CYBSEC Advisory#2010-0606]

An attacker can use "desc", "metrics__notify_body" or "metrics__notify_subject" parameters, in order to generate a Cross Site Scripting. [severity:2/4; CYBSEC Advisory#2010-0701]
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin 8683

Trend Micro: bypassing via RAR, CAB and ZIP

Synthesis of the vulnerability

An attacker can create a RAR, CAB or ZIP archive containing a virus which is not detected by Trend Micro.
Impacted products: TrendMicro Internet Security, InterScan Messaging Security Suite, InterScan Web Security Suite, ScanMail, TrendMicro ServerProtect.
Severity: 2/4.
Consequences: data flow.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 30/04/2009.
Identifiers: BID-34763, TZO-17-2009, VIGILANCE-VUL-8683.

Description of the vulnerability

Trend Micro products detect viruses contained in RAR, CAB and ZIP archives.

However, an attacker can create a slightly malformed archive, which can still be opened by Unrar/Unzip tools, but which cannot be opened by the antivirus.

Depending on Trend Micro product, these archives are handled in three ways:

OfficeScan and ServerProtect are vulnerable when Unrar/Unzip extracts the file on the desktop computer. These products are thus vulnerable when installed on a scan server. [severity:2/4]

InterScan Web Security Suite and InterScan Messaging Security quarantine the file by default. These products are vulnerable if the administrator changed the default configuration. [severity:2/4]

ScanMail does not indicate that the unscanned archive potentially contains a virus. This product is vulnerable in its default configuration. [severity:2/4]

An attacker can therefore create a RAR, CAB or ZIP archive containing a virus which is not detected by Trend Micro.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2009-0612

InterScan Web Security Suite: obtaining password

Synthesis of the vulnerability

When an authentication is configured for Trend Micro InterScan Web Security Suite, an attacker can obtain the login and the password of the user.
Impacted products: InterScan Web Security Suite.
Severity: 2/4.
Consequences: data reading.
Provenance: internet server.
Creation date: 10/02/2009.
Identifiers: BID-33687, CVE-2009-0612, VIGILANCE-VUL-8457.

Description of the vulnerability

The Trend Micro IWSS (InterScan Web Security Suite) product filters web access of users.

A basic authentication can be configured to access to this service. In this case, the web browser of user sends an HTTP query containing the login and the password encoded as base64:
  Proxy-Authorization: Basic encoded-login-password
Then, IWSS suppresses this header and sends the HTTP query to the remote server. The server thus receives a query which do not contain the proxy login and password.

However, Windows Media Player uses the following header:
  Proxy-Authorization: basic encoded-login-password
It can be noted that the "basic" word does not start by an uppercase character. In this case, IWSS does not suppress this header before sending the HTTP query to the remote server.

An attacker can therefore create a web page containing a multimedia document, and invite the victim to display it. The attacker's web server will then receive the login and password of the IWSS proxy of the victim.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2009-0613

InterScan Web Security Suite: privilege elevation

Synthesis of the vulnerability

A local attacker can change the configuration of Trend Micro InterScan Web Security Suite.
Impacted products: InterScan Web Security Suite.
Severity: 1/4.
Consequences: administrator access/rights.
Provenance: user account.
Creation date: 09/02/2009.
Identifiers: BID-33679, CVE-2009-0613, VIGILANCE-VUL-8454.

Description of the vulnerability

Three access levels are defined for Trend Micro IWSS (InterScan Web Security Suite):
 - Full access : full privileges
 - Auditor : the user can see the configuration, the logs, and can generate reports
 - Reports only : the user can generate reports

A vulnerability can be used by an attacker with an "Auditor" or "Report only" access level to obtain full privileges.

A local attacker can therefore change the configuration of Trend Micro InterScan Web Security Suite.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2007-4277

Trend Micro AntiVirus scan engine: buffer overflow in Tmxpflt.sys

Synthesis of the vulnerability

A local attacker can run code on the system by exploiting a buffer overflow of Trend Micro AntiVirus scan engine.
Impacted products: TrendMicro Internet Security, InterScan Messaging Security Suite, InterScan Web Security Suite, ScanMail, TrendMicro ServerProtect.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user shell.
Creation date: 26/10/2007.
Identifiers: 1036190, CERTA-2007-AVI-456, CVE-2007-4277, VIGILANCE-VUL-7285.

Description of the vulnerability

Trend Micro products use a virus detection system named Trend Micro AntiVirus scan engine. This engine use filter defined by the Tmfilter.sys module under Windows.

Permissions on this module give writing rights for all users, and no control on data passed in parameter in the IOCTL 0xa0284403 are done. A local attacker can thus exploit this module in order to create a buffer overflow in Trend Micro AntiVirus scan engine.

A local attacker can thus run code on the system with SYSTEM rights on the machine.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Trend Micro IWSS: