Trend Micro ServerProtect for Linux Multiple Bugs Let Remote Users Execute Arbitrary Code and Conduct Cross-Site Scripting and Cross-Site Request Forgery Attacks and Let Local Users Gain Elevated Privileges
Severity Rating: Medium
- Trend Micro ServerProtect for Linux version 3.0
Multiple vulnerabilities have been identified in Trend Micro ServerProtect and can be exploited by remote attackers to conduct cross-site request forgery attacks, obtain elevated privileges, cause execution of arbitrary code and conduct cross-site scripting attacks. The vulnerabilities exist because of the following issues:
· The system uses an insecure update method via HTTP without certificate validation. This can allow a remote user to monitor the network and modify data in transit to cause the target system to execute arbitrary code.
· The system uses an insecure update method without file certificate validation. This can allow a remote user to monitor the network and modify data in transit to cause the target system to execute arbitrary code.
· A remote user can create a specially crafted HTML page or URL that, when loaded by the target authenticated user, will take actions on the target interface acting as the target user.
· The software does not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Trend Micro ServerProtect software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies, if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
· The following 'notification.cgi' script parameters are affected: S44, S5, S_action_fail, S_ptn_update, T113, T114, T115, T117117, T118, T_action_fail, T_ptn_update, textarea, textfield5, tmLastConfigFileModifiedDate.
· The T1 and tmLastConfigFileModifiedDate parameters of 'log_management.cgi' are affected.
· A local user can exploit a flaw in the web-based management console to set the Quarantine directory to an arbitrary location and cause files to be written to arbitrary locations with root privileges.
Users are advised to update apply updates.
More information is available on:
Trend Micro Security Bulletin
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street