Sign-up

ID

VAR-201305-0371


TITLE

Trend Micro DirectPass Local command injection vulnerability

Trust: 0.8

sources: IVD: a6493c32-1f22-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-05941

DESCRIPTION

Trend Micro DirectPass is a password management solution. The Trend Micro DirectPass master password setting module (InstallWorkspace.exe) has a security vulnerability. For security reasons, the master password setting module allows for the review of included passwords. When the user hovers over the password field to be examined, hiding the protected master password is displayed in the check module. The software has command/path injection when processing the hidden password. Can cause arbitrary OS commands to be executed in a software context. A local attacker can exploit the vulnerability to execute arbitrary commands with high privileges. Successful exploits may compromise the affected application

Trust: 1.53

sources: CNVD: CNVD-2013-05941 // CNNVD: CNNVD-201305-594 // BID: 60023 // IVD: a6493c32-1f22-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: a6493c32-1f22-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-05941

AFFECTED PRODUCTS

vendor:trend micromodel:directpassscope:eqversion:1.5.0.1060

Trust: 1.1

vendor:trend micromodel:directpassscope:neversion:1.6

Trust: 0.3

sources: IVD: a6493c32-1f22-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-05941 // BID: 60023

CVSS

SEVERITY

CVSSV2

CVSSV3

CNVD: CNVD-2013-05941
value: HIGH

Trust: 0.6

IVD: a6493c32-1f22-11e6-abef-000c29c66e3d
value: HIGH

Trust: 0.2

CNVD: CNVD-2013-05941
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: a6493c32-1f22-11e6-abef-000c29c66e3d
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

sources: IVD: a6493c32-1f22-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-05941

THREAT TYPE

local

Trust: 0.9

sources: BID: 60023 // CNNVD: CNNVD-201305-594

TYPE

code injection

Trust: 0.6

sources: CNNVD: CNNVD-201305-594

PATCH

title:Trend Micro DirectPass Local Command Injection Vulnerability Patchurl:https://www.cnvd.org.cn/patchinfo/show/34254

Trust: 0.6

sources: CNVD: CNVD-2013-05941

EXTERNAL IDS

db:BIDid:60023

Trust: 1.5

db:CNVDid:CNVD-2013-05941

Trust: 0.8

db:CNNVDid:CNNVD-201305-594

Trust: 0.6

db:IVDid:A6493C32-1F22-11E6-ABEF-000C29C66E3D

Trust: 0.2

sources: IVD: a6493c32-1f22-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-05941 // BID: 60023 // CNNVD: CNNVD-201305-594

REFERENCES

url:http://seclists.org/fulldisclosure/2013/may/112

Trust: 0.9

url:http://www.securityfocus.com/bid/60023

Trust: 0.6

url:http://www.trendmicro.com/us/home/products/directpass/index.html

Trust: 0.3

url:http://esupport.trendmicro.com/solution/en-us/1096805.aspx

Trust: 0.3

sources: CNVD: CNVD-2013-05941 // BID: 60023 // CNNVD: CNNVD-201305-594

CREDITS

Benjamin Kunz Mejri

Trust: 0.9

sources: BID: 60023 // CNNVD: CNNVD-201305-594

SOURCES

db:IVDid:a6493c32-1f22-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2013-05941
db:BIDid:60023
db:CNNVDid:CNNVD-201305-594

LAST UPDATE DATE

2022-05-17T01:57:50.754000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2013-05941date:2013-05-27T00:00:00
db:BIDid:60023date:2013-05-15T00:00:00
db:CNNVDid:CNNVD-201305-594date:2013-05-28T00:00:00

SOURCES RELEASE DATE

db:IVDid:a6493c32-1f22-11e6-abef-000c29c66e3ddate:2013-05-23T00:00:00
db:CNVDid:CNVD-2013-05941date:2013-05-23T00:00:00
db:BIDid:60023date:2013-05-15T00:00:00
db:CNNVDid:CNNVD-201305-594date:2013-05-28T00:00:00