The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Trend Micro InterScan Web Security Suite

vulnerability note CVE-2017-11396

Trend Micro InterScan Web Security: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Trend Micro InterScan Web Security, in order to make the server run arbitrary machine code.
Impacted products: InterScan Web Security Suite.
Severity: 2/4.
Consequences: privileged access/rights, denial of service on service.
Provenance: document.
Creation date: 23/05/2017.
Identifiers: 1117412, CVE-2017-11396, JVNVU#90447827, VIGILANCE-VUL-22804.

Description of the vulnerability

An attacker can use several vulnerabilities of Trend Micro InterScan Web Security, in order to make the server run arbitrary machine code.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2016-6340 CVE-2017-6338 CVE-2017-6339

Trend Micro InterScan Web Security Suite: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Trend Micro InterScan Web Security Suite of type code injection, privilege escalation, information leak and stored XSS.
Impacted products: InterScan Web Security Suite.
Severity: 3/4.
Consequences: privileged access/rights, client access/rights, data reading, denial of service on service.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 29/03/2017.
Revisions dates: 30/03/2017, 31/03/2017, 03/04/2017.
Identifiers: 1116960, CVE-2016-6340, CVE-2017-6338, CVE-2017-6339, VIGILANCE-VUL-22281, ZDI-17-193, ZDI-17-194, ZDI-17-195, ZDI-17-196, ZDI-17-197, ZDI-17-198, ZDI-17-199, ZDI-17-200, ZDI-17-201, ZDI-17-202, ZDI-17-203, ZDI-17-204, ZDI-17-205, ZDI-17-206, ZDI-17-207, ZDI-17-208, ZDI-17-209, ZDI-17-210, ZDI-17-211, ZDI-17-212, ZDI-17-213, ZDI-17-214, ZDI-17-215, ZDI-17-216, ZDI-17-217, ZDI-17-218, ZDI-17-219, ZDI-17-220, ZDI-17-221, ZDI-17-222, ZDI-17-223, ZDI-17-224, ZDI-17-225, ZDI-17-226, ZDI-17-227, ZDI-17-228, ZDI-17-229, ZDI-17-230, ZDI-17-231, ZDI-17-232, ZDI-17-233.

Description of the vulnerability

An attacker can use at least 43 vulnerabilities of Trend Micro InterScan Web Security Suite of type code injection, privilege escalation, information leak and stored XSS.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2016-9269 CVE-2016-9314 CVE-2016-9315

Trend Micro InterScan Web Security Suite: six vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Trend Micro InterScan Web Security Suite.
Impacted products: InterScan Web Security Suite.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights, data creation/edition.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 6.
Creation date: 16/02/2017.
Revision date: 27/02/2017.
Identifiers: CVE-2016-9269, CVE-2016-9314, CVE-2016-9315, CVE-2016-9316, VIGILANCE-VUL-21870.

Description of the vulnerability

Several vulnerabilities were announced in Trend Micro InterScan Web Security Suite.

An authenticated attacker can upload a malicious file via ConfigBackup, in order for example to upload a Trojan. [severity:3/4; CVE-2016-9314]

An authenticated attacker can use the page updateaccountadministration, in order to get administator's privileges. [severity:3/4; CVE-2016-9315]

An attacker can restore a modified backup of the system configuration, in order to get root privileges on the underlying Linux. [severity:3/4; CVE-2016-9314]

An attacker can trigger a stored Cross Site Scripting, in order to run JavaScript code in the context of the web site. [severity:2/4; CVE-2016-9316]

An attacker can bypass security features via ManagePatches, in order to escalate his privileges. [severity:2/4; CVE-2016-9269]

An attacker can use a vulnerability via saveCert.imss, in order to run code. [severity:2/4]
Full Vigil@nce bulletin... (Free trial)

vulnerability note 19684

Trend Micro InterScan Web Security Virtual Appliance: four vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Trend Micro InterScan Web Security Virtual Appliance.
Impacted products: InterScan Web Security Suite.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 4.
Creation date: 23/05/2016.
Identifiers: VIGILANCE-VUL-19684, ZDI-16-348, ZDI-16-349, ZDI-16-350, ZDI-16-351.

Description of the vulnerability

Several vulnerabilities were announced in Trend Micro InterScan Web Security Virtual Appliance.

An attacker can use a vulnerability via ManagePatches, in order to run code. [severity:3/4; ZDI-16-348]

An attacker can use a vulnerability via /rest/testConfiguration, in order to run code. [severity:3/4; ZDI-16-349]

An attacker can use a vulnerability via /rest/wmi_domain_controllers, in order to run code. [severity:3/4; ZDI-16-350]

An attacker can use a vulnerability via /rest/domains, in order to run code. [severity:3/4; ZDI-16-351]
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2014-8510

Trend Micro InterScan Web Security: file reading via AdminUI

Synthesis of the vulnerability

An attacker can read files via the administration Web application of Trend Micro InterScan Web Security, in order to obtain sensitive information.
Impacted products: InterScan Web Security Suite.
Severity: 2/4.
Consequences: data reading.
Provenance: user account.
Creation date: 07/11/2014.
Identifiers: CVE-2014-8510, VIGILANCE-VUL-15610, ZDI-14-373.

Description of the vulnerability

The Trend Micro InterScan Web Security product provides an administration Web application.

However, an authenticated user can insert file paths into some fields of the man machine interface, in order to get the content of any file readable by the Web server.

An attacker can therefore read files via the administration Web application of Trend Micro InterScan Web Security, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2014-0224

OpenSSL: man in the middle via ChangeCipherSpec

Synthesis of the vulnerability

An attacker can act as a man in the middle between a client and a server using OpenSSL, in order to read or alter exchanged data.
Impacted products: ArubaOS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, GAiA, CheckPoint IP Appliance, IPSO, Provider-1, SecurePlatform, CheckPoint Security Appliance, CheckPoint Security Gateway, Cisco ASR, Cisco ATA, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, CiscoWorks, Cisco Content SMA, Cisco CSS, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort Email, IronPort Management, IronPort Web, Nexus by Cisco, NX-OS, Prime Collaboration Assurance, Prime Collaboration Manager, Prime Infrastructure, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Cisco Unity ~ precise, WebNS, Cisco WSA, Clearswift Web Gateway, Debian, Avamar, EMC CAVA, EMC CEE, EMC CEPA, Celerra FAST, Celerra NS, Celerra NX4, EMC CMDCE, Connectrix Switch, ECC, NetWorker, PowerPath, Unisphere EMC, VNX Operating Environment, VNX Series, BIG-IP Hardware, TMOS, Fedora, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiClient, FortiManager, FortiManager Virtual Appliance, FreeBSD, HP Operations, ProCurve Switch, HP Switch, HP-UX, AIX, Tivoli Storage Manager, WebSphere MQ, Juniper J-Series, Junos OS, Junos Pulse, Juniper Network Connect, Juniper UAC, McAfee Web Gateway, MySQL Enterprise, NetBSD, OpenBSD, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Solaris, Polycom CMA, HDX, RealPresence Collaboration Server, Polycom VBP, RHEL, JBoss EAP by Red Hat, ACE Agent, ACE Server, RSA Authentication Agent, RSA Authentication Manager, SecurID, ROS, ROX, RuggedSwitch, SIMATIC, Slackware, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Nessus, InterScan Messaging Security Suite, InterScan Web Security Suite, TrendMicro ServerProtect, Ubuntu, ESXi, vCenter Server, VMware vSphere, VMware vSphere Hypervisor, Websense Email Security, Websense Web Filter, Websense Web Security.
Severity: 3/4.
Consequences: data reading, data creation/edition, data flow.
Provenance: document.
Creation date: 05/06/2014.
Revision date: 05/06/2014.
Identifiers: 1676496, 1690827, aid-06062014, c04336637, c04347622, c04363613, CERTFR-2014-AVI-253, CERTFR-2014-AVI-254, CERTFR-2014-AVI-255, CERTFR-2014-AVI-260, CERTFR-2014-AVI-274, CERTFR-2014-AVI-279, CERTFR-2014-AVI-286, CERTFR-2014-AVI-513, cisco-sa-20140605-openssl, cpuoct2016, CTX140876, CVE-2014-0224, DOC-53313, DSA-2950-1, DSA-2950-2, FEDORA-2014-17576, FEDORA-2014-17587, FEDORA-2014-7101, FEDORA-2014-7102, FG-IR-14-018, FreeBSD-SA-14:14.openssl, HPSBHF03052, HPSBUX03046, JSA10629, MDVSA-2014:105, MDVSA-2014:106, MDVSA-2015:062, NetBSD-SA2014-006, openSUSE-SU-2014:0764-1, openSUSE-SU-2014:0765-1, openSUSE-SU-2015:0229-1, openSUSE-SU-2016:0640-1, RHSA-2014:0624-01, RHSA-2014:0625-01, RHSA-2014:0626-01, RHSA-2014:0627-01, RHSA-2014:0628-01, RHSA-2014:0629-01, RHSA-2014:0630-01, RHSA-2014:0631-01, RHSA-2014:0632-01, RHSA-2014:0633-01, RHSA-2014:0679-01, RHSA-2014:0680-01, SA40006, SA80, SB10075, sk101186, SOL15325, SPL-85063, SSA:2014-156-03, SSA-234763, SSRT101590, SUSE-SU-2014:0759-1, SUSE-SU-2014:0759-2, SUSE-SU-2014:0761-1, SUSE-SU-2014:0762-1, USN-2232-1, USN-2232-2, USN-2232-3, USN-2232-4, VIGILANCE-VUL-14844, VMSA-2014-0006, VMSA-2014-0006.1, VMSA-2014-0006.10, VMSA-2014-0006.11, VMSA-2014-0006.2, VMSA-2014-0006.3, VMSA-2014-0006.4, VMSA-2014-0006.5, VMSA-2014-0006.6, VMSA-2014-0006.7, VMSA-2014-0006.8, VMSA-2014-0006.9, VU#978508.

Description of the vulnerability

The OpenSSL product implements SSL/TLS, which uses a handshake.

However, by using a handshake with a ChangeCipherSpec message, an attacker can force the usage of weak keys.

An attacker can therefore act as a man in the middle between a client and a server using OpenSSL, in order to read or alter exchanged data.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin 11103

Trend Micro InterScan Web Security Suite: privilege elevation

Synthesis of the vulnerability

A local attacker can use the patchCmd program of Trendmicro InterScan Web Security Suite, in order to gain root privileges.
Impacted products: InterScan Web Security Suite.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user shell.
Creation date: 27/10/2011.
Identifiers: BID-50380, VIGILANCE-VUL-11103.

Description of the vulnerability

The Trend Micro InterScan Web Security Suite product installs the /opt/trend/iwss/data/patch/bin/patchCmd tool, which is used to patch and unpatch (roolback) a program. The patchCmd tool is installed suid root.

This tool calls the "./PatchExe.sh" and "./RollbackExe.sh" shell scripts. However, these scripts are run from the current directory. If the attacker created a malicious program with these names, and located in the current directory, they are thus executed with root privileges.

A local attacker can therefore use the patchCmd program of Trend Micro InterScan Web Security Suite, in order to gain root privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert 9726

Trend Micro InterScan Web Security: five vulnerabilities

Synthesis of the vulnerability

Five vulnerabilities of Trend Micro InterScan Web Security Virtual Appliance can be used by an attacker to read/alter information or to execute code.
Impacted products: InterScan Web Security Suite.
Severity: 3/4.
Consequences: administrator access/rights, user access/rights, data reading, data creation/edition.
Provenance: document.
Number of vulnerabilities in this bulletin: 5.
Creation date: 23/06/2010.
Revision date: 02/07/2010.
Identifiers: BID-41039, BID-41072, BID-41296, CYBSEC Advisory#2010-0604, CYBSEC Advisory#2010-0605, CYBSEC Advisory#2010-0606, CYBSEC Advisory#2010-0701, VIGILANCE-VUL-9726.

Description of the vulnerability

Five vulnerabilities were announced in Trend Micro InterScan Web Security Virtual Appliance.

An attacker can use a Cross Site Request Forgery in order to alter rules or to add an administrator. [severity:3/4; BID-41039]

A local attacker can use uihelper in order to execute commands as root. [severity:2/4; BID-41072, CYBSEC Advisory#2010-0604]

An attacker can use com.trend.iwss.gui.servlet.XMLRPCcert to upload a file on the server. [severity:3/4; BID-41072, CYBSEC Advisory#2010-0605]

An attacker can use com.trend.iwss.gui.servlet.exportreport to read a file. [severity:3/4; BID-41072, CYBSEC Advisory#2010-0606]

An attacker can use "desc", "metrics__notify_body" or "metrics__notify_subject" parameters, in order to generate a Cross Site Scripting. [severity:2/4; CYBSEC Advisory#2010-0701]
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin 8683

Trend Micro: bypassing via RAR, CAB and ZIP

Synthesis of the vulnerability

An attacker can create a RAR, CAB or ZIP archive containing a virus which is not detected by Trend Micro.
Impacted products: TrendMicro Internet Security, InterScan Messaging Security Suite, InterScan Web Security Suite, ScanMail, TrendMicro ServerProtect.
Severity: 2/4.
Consequences: data flow.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 30/04/2009.
Identifiers: BID-34763, TZO-17-2009, VIGILANCE-VUL-8683.

Description of the vulnerability

Trend Micro products detect viruses contained in RAR, CAB and ZIP archives.

However, an attacker can create a slightly malformed archive, which can still be opened by Unrar/Unzip tools, but which cannot be opened by the antivirus.

Depending on Trend Micro product, these archives are handled in three ways:

OfficeScan and ServerProtect are vulnerable when Unrar/Unzip extracts the file on the desktop computer. These products are thus vulnerable when installed on a scan server. [severity:2/4]

InterScan Web Security Suite and InterScan Messaging Security quarantine the file by default. These products are vulnerable if the administrator changed the default configuration. [severity:2/4]

ScanMail does not indicate that the unscanned archive potentially contains a virus. This product is vulnerable in its default configuration. [severity:2/4]

An attacker can therefore create a RAR, CAB or ZIP archive containing a virus which is not detected by Trend Micro.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2009-0612

InterScan Web Security Suite: obtaining password

Synthesis of the vulnerability

When an authentication is configured for Trend Micro InterScan Web Security Suite, an attacker can obtain the login and the password of the user.
Impacted products: InterScan Web Security Suite.
Severity: 2/4.
Consequences: data reading.
Provenance: internet server.
Creation date: 10/02/2009.
Identifiers: BID-33687, CVE-2009-0612, VIGILANCE-VUL-8457.

Description of the vulnerability

The Trend Micro IWSS (InterScan Web Security Suite) product filters web access of users.

A basic authentication can be configured to access to this service. In this case, the web browser of user sends an HTTP query containing the login and the password encoded as base64:
  Proxy-Authorization: Basic encoded-login-password
Then, IWSS suppresses this header and sends the HTTP query to the remote server. The server thus receives a query which do not contain the proxy login and password.

However, Windows Media Player uses the following header:
  Proxy-Authorization: basic encoded-login-password
It can be noted that the "basic" word does not start by an uppercase character. In this case, IWSS does not suppress this header before sending the HTTP query to the remote server.

An attacker can therefore create a web page containing a multimedia document, and invite the victim to display it. The attacker's web server will then receive the login and password of the IWSS proxy of the victim.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Trend Micro InterScan Web Security Suite: