#VU9345 Server-side request forgery in OfficeScan
Vulnerability identifier: #VU9345
Vulnerability risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-918
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
OfficeScan
Client/Desktop applications /
Antivirus software/Personal firewalls
Vendor: Trend Micro
Description
The vulnerability allows a remote attacker to perform SSRF attack.
The vulnerability exists due to improper input validation of data passed via the "url" HTTP GET parameter to "/officescan/console/html/Widget/help_proxy.php" script. A remote attacker can create a specially crafted link, trick the victim into opening it and perform SSRF attack.
Successful exploitation of the vulnerability may allow an attacker to perform arbitrary HTTP requests to external and internal servers.
Exploitation example:
https://[host]:4343/officescan/console/html/Widget/help_proxy.php?url=http://<REQUESTED-IP>:8080
Mitigation
Install update form vendor's website:
OfficeScan XG update
Vulnerable software versions
OfficeScan: 11.0 - XG
External links
http://hyp3rlinx.altervista.org/advisories/TRENDMICRO-OFFICESCAN-XG-SERVER-SIDE-REQUEST-FORGERY.txt
http://seclists.org/bugtraq/2017/Oct/9
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
