Multiple vulnerabilities in Trend Micro ServerProtect for Linux
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 6 |
| CVE-ID | CVE-2017-9037 CVE-2017-9033 CVE-2017-9036 CVE-2017-9035 CVE-2017-9034 CVE-2017-9032 |
| CWE-ID | CWE-79 CWE-352 CWE-264 CWE-20 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #3 is available. Public exploit code for vulnerability #6 is available. |
| Vulnerable software Subscribe |
ServerProtect for Linux Server applications / Server solutions for antivurus protection |
| Vendor | Trend Micro |
Security Bulletin
This security bulletin contains information about 6 vulnerabilities.
1) Cross-site scripting
EUVDB-ID: #VU6719
Risk: Low
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2017-9037
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability is caused by incorrect filtration of input data passed via certain parameters of the notification.cgi script. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim’s browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Mitigation
Update to version 3.0 CP 1531.
Vulnerable software versionsServerProtect for Linux: 3.0
External linkshttp://success.trendmicro.com/solution/1117411
http://www.coresecurity.com/advisories/trend-micro-serverprotect-multiple-vulnerabilities
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Cross-site request forgery
EUVDB-ID: #VU6720
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-9033
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform CSRF attack.
The weakness exists due to insufficient checking of the sent requests. A remote attacker can trick the victim into loading of specially crafted HTML, get access to the affected system and modify information on the target system.
Update to version 3.0 CP 1531.
Vulnerable software versionsServerProtect for Linux: 3.0
External linkshttp://success.trendmicro.com/solution/1117414
http://www.coresecurity.com/advisories/trend-micro-serverprotect-multiple-vulnerabilities
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Privilege escalation
EUVDB-ID: #VU6721
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C]
CVE-ID: CVE-2017-9036
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
Description
The disclosed vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to improper security restrictions set on the quarantine directory by the affected software. A local attacker can write an arbitrary file to any location on the file system and gain root privileges.
Successful exploitation of this vulnerability results in privilege escalation.
Mitigation
Update to version 3.0 CP 1531.
Vulnerable software versions
ServerProtect for Linux: 3.0
External linkshttp://success.trendmicro.com/solution/1117411
http://www.coresecurity.com/advisories/trend-micro-serverprotect-multiple-vulnerabilities
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
4) Remote code execution
EUVDB-ID: #VU6722
Risk: High
CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-9035
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
Description
The vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure update method via HTTP without certificate validation. A remote authenticated attacker can modify data in transit to cause the target system to execute arbitrary code.
Successful exploitation of this vulnerability may result in system compromise.
Update to version 3.0 CP 1531.
Vulnerable software versions
ServerProtect for Linux: 3.0
External linkshttp://success.trendmicro.com/solution/1117411
http://www.coresecurity.com/advisories/trend-micro-serverprotect-multiple-vulnerabilities
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Remote code execution
EUVDB-ID: #VU6723
Risk: High
CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-9034
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
Description
The vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure update method without file certificate validation. A remote authenticated attacker can modify data in transit to cause the target system to install and execute arbitrary code.
Successful exploitation of this vulnerability may result in system compromise.
MitigationUpdate to version 3.0 CP 1531.
Vulnerable software versions
ServerProtect for Linux: 3.0
External linkshttp://success.trendmicro.com/solution/1117411
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Cross-site scripting
EUVDB-ID: #VU6724
Risk: Low
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2017-9032
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability is caused by incorrect filtration of input data passed via certain parameters of the log_management.cgi. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim’s browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Mitigation
Update to version 3.0 CP 1531.
Vulnerable software versionsServerProtect for Linux: 3.0
External linkshttp://success.trendmicro.com/solution/1117411
http://www.coresecurity.com/advisories/trend-micro-serverprotect-multiple-vulnerabilities
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
