The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of TrendMicro ScanMail

vulnerability alert CVE-2015-3326

Trend Micro ScanMail for Microsoft Exchange: privilege escalation

Synthesis of the vulnerability

An attacker can perform a brute-force of Trend Micro ScanMail for Microsoft Exchange, in order to escalate his privileges.
Impacted products: ScanMail.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: intranet client.
Creation date: 18/05/2015.
Identifiers: CVE-2015-3326, VIGILANCE-VUL-16931.

Description of the vulnerability

The Trend Micro ScanMail for Microsoft Exchange product offers a web service.

However, the web session identifier is predictable.

An attacker can therefore perform a brute-force of Trend Micro ScanMail for Microsoft Exchange, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2012-1425 CVE-2012-1443 CVE-2012-1448

TrendMicro antivirus: bypassing via CAB, RAR, TAR, ZIP

Synthesis of the vulnerability

An attacker can create an archive containing a virus, which is not detected by TrendMicro antivirus.
Impacted products: OfficeScan, ScanMail.
Severity: 1/4.
Consequences: data flow.
Provenance: document.
Number of vulnerabilities in this bulletin: 8.
Creation date: 21/03/2012.
Identifiers: BID-52580, BID-52603, BID-52608, BID-52610, BID-52612, BID-52621, BID-52623, BID-52626, CVE-2012-1425, CVE-2012-1443, CVE-2012-1448, CVE-2012-1453, CVE-2012-1456, CVE-2012-1457, CVE-2012-1459, CVE-2012-1461, VIGILANCE-VUL-11476.

Description of the vulnerability

Tools extracting archives accept to extract archives which are slightly malformed. However, TrendMicro antivirus does not detect viruses contained in these archives.

A TAR archive containing "\50\4B\03\04" as its first 4 bytes bypasses the detection. [severity:1/4; BID-52580, CVE-2012-1425]

A RAR archive containing "MZ" as its first 2 bytes bypasses the detection. [severity:1/4; BID-52612, CVE-2012-1443]

A CAB archive containing a large "cbCabinet" field bypasses the detection. [severity:1/4; BID-52603, CVE-2012-1448]

A CAB archive containing a large "coffFiles" field bypasses the detection. [severity:1/4; BID-52621, CVE-2012-1453]

A ZIP archive starting by TAR data bypasses the detection. [severity:1/4; BID-52608, CVE-2012-1456]

A TAR archive with a large size bypasses the detection. [severity:1/4; BID-52610, CVE-2012-1457]

A TAR archive with a header containing a large value bypasses the detection. [severity:1/4; BID-52623, CVE-2012-1459]

A TAR+GZ archive containing two streams bypasses the detection. [severity:1/4; BID-52626, CVE-2012-1461]

An attacker can therefore create an archive containing a virus which is not detected by the antivirus, but which is extracted by extraction tools. The virus is then detected once it has been extracted on victim's computer.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin 8683

Trend Micro: bypassing via RAR, CAB and ZIP

Synthesis of the vulnerability

An attacker can create a RAR, CAB or ZIP archive containing a virus which is not detected by Trend Micro.
Impacted products: TrendMicro Internet Security, InterScan Messaging Security Suite, InterScan Web Security Suite, ScanMail, TrendMicro ServerProtect.
Severity: 2/4.
Consequences: data flow.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 30/04/2009.
Identifiers: BID-34763, TZO-17-2009, VIGILANCE-VUL-8683.

Description of the vulnerability

Trend Micro products detect viruses contained in RAR, CAB and ZIP archives.

However, an attacker can create a slightly malformed archive, which can still be opened by Unrar/Unzip tools, but which cannot be opened by the antivirus.

Depending on Trend Micro product, these archives are handled in three ways:

OfficeScan and ServerProtect are vulnerable when Unrar/Unzip extracts the file on the desktop computer. These products are thus vulnerable when installed on a scan server. [severity:2/4]

InterScan Web Security Suite and InterScan Messaging Security quarantine the file by default. These products are vulnerable if the administrator changed the default configuration. [severity:2/4]

ScanMail does not indicate that the unscanned archive potentially contains a virus. This product is vulnerable in its default configuration. [severity:2/4]

An attacker can therefore create a RAR, CAB or ZIP archive containing a virus which is not detected by Trend Micro.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2007-4277

Trend Micro AntiVirus scan engine: buffer overflow in Tmxpflt.sys

Synthesis of the vulnerability

A local attacker can run code on the system by exploiting a buffer overflow of Trend Micro AntiVirus scan engine.
Impacted products: TrendMicro Internet Security, InterScan Messaging Security Suite, InterScan Web Security Suite, ScanMail, TrendMicro ServerProtect.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user shell.
Creation date: 26/10/2007.
Identifiers: 1036190, CERTA-2007-AVI-456, CVE-2007-4277, VIGILANCE-VUL-7285.

Description of the vulnerability

Trend Micro products use a virus detection system named Trend Micro AntiVirus scan engine. This engine use filter defined by the Tmfilter.sys module under Windows.

Permissions on this module give writing rights for all users, and no control on data passed in parameter in the IOCTL 0xa0284403 are done. A local attacker can thus exploit this module in order to create a buffer overflow in Trend Micro AntiVirus scan engine.

A local attacker can thus run code on the system with SYSTEM rights on the machine.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2007-1591

Trend Micro: denial of service of UPX

Synthesis of the vulnerability

An attacker can create a malicious UPX program in order to stop Trend Micro antiviruses.
Impacted products: TrendMicro Internet Security, InterScan VirusWall, ScanMail.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service.
Provenance: document.
Creation date: 15/03/2007.
Identifiers: 1034587, BID-22965, CVE-2007-1591, VIGILANCE-VUL-6645.

Description of the vulnerability

Programs can be packed in order to shrink their size and make their analyze more complex. Trend Micro antiviruses support UPX packer (Ultimate Packer for eXecutables).

A program compacted with UPX can cause a division by zero in VsapiNT.sys driver.

An attacker can therefore send a compacted program in order to generate a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2007-0851

Trend Micro: buffer overflow of UPX

Synthesis of the vulnerability

An attacker can create a malicious UPX program in order to run code on Trend Micro antiviruses.
Impacted products: TrendMicro Internet Security, InterScan VirusWall, ScanMail.
Severity: 3/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Creation date: 08/02/2007.
Identifiers: 1034289, BID-22449, CVE-2007-0851, VIGILANCE-VUL-6534, VU#276432.

Description of the vulnerability

Programs can be packed in order to shrink their size and make their analysis more complex. Trend Micro antiviruses support UPX packer (Ultimate Packer for eXecutables).

A program compacted with UPX can lead to a buffer overflow. Technical details unknown.

An attacker can therefore send a compacted program in order to run code or to generate a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2005-0533

Trend Micro : buffer overflow de ARJ

Synthesis of the vulnerability

Un attaquant peut créer une archive ARJ illicite provoquant l'exécution de code sur les antivirus Trend Micro.
Impacted products: TrendMicro Internet Security, InterScan VirusWall, ScanMail.
Severity: 3/4.
Consequences: user access/rights.
Provenance: internet server.
Creation date: 24/02/2005.
Revision date: 25/02/2005.
Identifiers: 189, BID-12643, CVE-2005-0533, V6-TRENDMICROVSAPIARJBOF, VIGILANCE-VUL-4784.

Description of the vulnerability

La bibliothèque VSAPI est employée par les produits Trend Micro. Elle gère notamment le décodage des archives ARJ.

Les archives ARJ peuvent contenir des fichiers dont le nom possède 2600 caractères.

Cependant, VSAPI stocke les noms de fichiers dans un tableau de 512 caractères, sans vérifier la taille. Un attaquant peut donc créer une archive ARJ contenant des fichiers dont le nom provoque un débordement.

Cette vulnérabilité permet ainsi à un attaquant distant de faire exécuter du code sur l'antivirus.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2004-1003

Obtention d'informations à l'aide du serveur web

Synthesis of the vulnerability

Un attaquant autorisé à se connecter sur le serveur d'administration peut obtenir des informations sensibles.
Impacted products: ScanMail.
Severity: 1/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 04/11/2004.
Identifiers: BID-11612, CVE-2004-1003, V6-SCANMAILWEBINFO, VIGILANCE-VUL-4496.

Description of the vulnerability

L'antivirus ScanMail pour Lotus Notes dispose d'une console d'administration web. Plusieurs pages web sont disponibles :
  /smency.nsf : encyclopédie
  /smconf.nsf : configuration
  /smhelp.nsf : aide
  /smftypes.nsf : types de fichiers
  /smmsg.nsf : messages
  /smquar.nsf : quarantaine
  /smtime.nsf : planning
  /smsmvlog.nsf : journaux
  /smadmr5.nsf : administration

Si ce serveur web est accessible, un attaquant peut utiliser ces pages pour obtenir des informations sur le système.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 3971

Analyse incorrecte des fichiers UPX

Synthesis of the vulnerability

Un attaquant distant peut créer un fichier UPX illicite, qui ne sera pas analysé par la majorité des anti-virus.
Impacted products: F-PROT AV, F-Secure AV, AVG AntiVirus, Kaspersky AV, VirusScan, Norton Antivirus, Sophos AV, InterScan VirusWall, ScanMail.
Severity: 2/4.
Consequences: data flow.
Provenance: internet server.
Creation date: 23/01/2004.
Identifiers: V6-AVMULUPX, VIGILANCE-VUL-3971.

Description of the vulnerability

Le format UPX (Ultimate Packer for eXecutables) permet de compresser un programme et de le décompresser avant son exécution.

Il a été annoncé que la majorité des anti-virus ne savait pas reconnaître un fichier UPX spécialement construit. Un attaquant distant peut donc créer un virus et le compresser en UPX, afin qu'il ne soit pas détecté par les anti-virus. L'utilisateur, alors en confiance, peut décider de l'exécuter.

La liste exacte des anti-virus concernés n'est pas connue.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about TrendMicro ScanMail: