[FD] [CORE-2017-0002] - Trend Micro ServerProtect Multiple Vulnerabilities

1. *Advisory Information* Title: Trend Micro ServerProtect Multiple Vulnerabilities Advisory ID: CORE-2017-0002 Advisory URL: http://ift.tt/2rMGpX0 Date published: 2017-05-23 Date of last update: 2017-05-23 Vendors contacted: Trend Micro Release mode: Coordinated release 2. *Vulnerability Information* Class: Cleartext Transmission of Sensitive Information [CWE-319], Insufficient Verification of Data Authenticity [CWE-345], Cross-Site Request Forgery [CWE-352], Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79], Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79], External Control of File Name or Path [CWE-73] Impact: Code execution, Security bypass Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2017-9035, CVE-2017-9034, CVE-2017-9033, CVE-2017-9037, CVE-2017-9032, CVE-2017-9036 3. *Vulnerability Description* Trend Micro's website states that ServerProtect for Linux 3.0 [1] does "Protect against viruses, rootkits, and data-stealing malware while simplifying and automating security operations on servers and storage systems. This reliable solution from the market leader in server security offers real-time protection, high performance, and low processing overhead." Vulnerabilities were found in the ServerProtect for Linux update mechanism, allowing remote code execution as root. We present two vectors to achieve this: one via a man-in-the-middle attack and another one via exploiting vulnerabilities in the Web-based Management Console that is bundled with the product. 4. *Vulnerable Packages* . Trend Micro ServerProtect for Linux 3.0-1061 with SP1 Patch 7 (1.0-1505) Other products and versions might be affected, but they were not tested. 5. *Vendor Information, Solutions and Workarounds* Trend Micro published the following Security Notes: . KB1117411 - http://ift.tt/2rdImid 6. *Credits* These vulnerabilities were discovered and researched by Leandro Barragan and Maximiliano Vidal from Core Security Consulting Services. The publication of this advisory was coordinated by Alberto Solino from Core Advisories Team. 7. *Technical Description / Proof of Concept Code* Trend Micro ServerProtect for Linux uses an insecure update mechanism that allows an attacker to overwrite sensitive files, including binaries, and achieve remote code execution as root. The vulnerabilities presented in sections 7.1 and 7.2 are the core issue, and would allow an attacker in a man-in-the-middle position to gain root access. Another option exists for when a man-in-the-middle attack is not feasible. The Web-based Management Console includes functionality to specify alternative download sources. By exploiting vulnerabilities 7.3, 7.4, or 7.5, an attacker would be able to set an arbitrary download source and trigger the vulnerable update mechanism. Also, a privilege escalation vulnerability is presented in section 7.6 that allows a local user to run commands as root. This is achieved by abusing a functionality from the Web-based Management Console to set the quarantine directory to an arbitrary location. 7.1. *Insecure Update via HTTP* [CVE-2017-9035] Communication to the update servers is unencrypted. The following request is generated when an administrator launches an update: /--

Source: Gmail -> IFTTT-> Blogger