SB2015051404 - Input validation error in ScanMail

Description

This security bulletin contains information about 1 security vulnerability.

1) Input validation error (CVE-ID: CVE-2015-3326)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Trend Micro ScanMail for Microsoft Exchange (SMEX) 10.2 before Hot Fix Build 3318 and 11.0 before Hot Fix Build 4180 creates session IDs for the web console using a random number generator with predictable values, which makes it easier for remote attackers to bypass authentication via a brute force attack. <a href="https://cwe.mitre.org/data/definitions/330.html">CWE-330: Use of Insufficiently Random Values</a>

Remediation

Install update from vendor's website.

References

• http://blog.malerisch.net/2016/05/trendmicro-smex-session-predictable-cve-2015-3326.html
• http://esupport.trendmicro.com/solution/en-US/1109669.aspx
• http://www.securityfocus.com/bid/74661
• http://www.securitytracker.com/id/1032323