ESB-2017.1925 - [Win] Trend Micro OfficeScan: Execute arbitrary code/commands - Existing account 2017-08-03

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.1925
  Multiple vulnerabilities have been identified in Trend Micro OfficeScan
                               3 August 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Trend Micro OfficeScan
Publisher:         Zero Day Initiative
Operating System:  Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-11394 CVE-2017-11393 

Original Bulletin: 
   http://www.zerodayinitiative.com/advisories/ZDI-17-521/
   http://www.zerodayinitiative.com/advisories/ZDI-17-522/

Comment: This bulletin contains two (2) Zero Day Initiative security 
         advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Trend Micro OfficeScan Proxy Command Injection Remote Code Execution
Vulnerability

ZDI-17-521: August 2nd, 2017

CVE ID

    CVE-2017-11394

CVSS Score

    9, (AV:N/AC:L/Au:S/C:C/I:C/A:C)

Affected Vendors

    Trend Micro

Affected Products

    OfficeScan

TippingPoint(TM) IPS Customer Protection
TippingPoint IPS customers are protected against this vulnerability by
Digital Vaccine protection filter ID 28006. For further product information
on the TippingPoint IPS:

    http://www.tippingpoint.com

Vulnerability Details


This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Trend Micro OfficeScan. Authentication is
required to exploit this vulnerability.

The specific flaw exists within the Web Console, which listens on TCP
port 4343 by default. When parsing the T parameter in Proxy.php, the
process does not properly validate a user-supplied string before using it
to execute a system call. An attacker can leverage this vulnerability to
execute arbitrary code under the context of the current service.

Vendor Response
Trend Micro has issued an update to correct this vulnerability. More
details can be found at:

    https://success.trendmicro.com/solution/1117769

Disclosure Timeline

    2017-03-01 - Vulnerability reported to vendor
    2017-08-02 - Coordinated public release of advisory

Credit
This vulnerability was discovered by:

    Steven Seeley of Source Incite

- --------------------------------------------------------------------------------
Trend Micro OfficeScan Proxy Command Injection Remote Code Execution
Vulnerability

ZDI-17-522: August 2nd, 2017

CVE ID

    CVE-2017-11393

CVSS Score

    9, (AV:N/AC:L/Au:S/C:C/I:C/A:C)

Affected Vendors

    Trend Micro

Affected Products

    OfficeScan

TippingPoint(TM) IPS Customer Protection

TippingPoint IPS customers are protected against this vulnerability by
Digital Vaccine protection filter ID 28006. For further product information
on the TippingPoint IPS:

    http://www.tippingpoint.com

Vulnerability Details

This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Trend Micro OfficeScan. Authentication is
required to exploit this vulnerability.

The specific flaw exists within the Web Console, which listens on TCP
port 4343 by default. When parsing the tr parameter in Proxy.php, the
process does not properly validate a user-supplied string before using it
to execute a system call. . An attacker can leverage this vulnerability
to execute arbitrary code under the context of the current service.

Vendor Response
Trend Micro has issued an update to correct this vulnerability. More
details can be found at:

    https://success.trendmicro.com/solution/1117769

Disclosure Timeline

    2017-03-01 - Vulnerability reported to vendor
    2017-08-02 - Coordinated public release of advisory

Credit
This vulnerability was discovered by:

    Steven Seeley of Source Incite

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWYOrjIx+lLeg9Ub1AQgjgg//Uk0zxA4Dv+tyMfPgQHWjeCWm5p4fz7R0
0HPU8qfAFJFe2Zdga24E3Jrizp+JNhr2vV1xpUkk2h/2sU+6Y8J3X3RsGqcxujS0
1Y0aR2/4ty3phoHUi9s0KcnJI6Fpmiy3uDqg5LmJ5xB9R+sHwpZVm4KViV7mvRtS
jmPNmGI1soUBYv6cl+CrEfEBSEouu9cxgzu8xOgBJM+zKfhxf5UBkdB1kFxns9xz
ADpS1pUTvy51h2nN0xq8fyr1ssfiotudyNpxydmJUxvi0aTWGi1Q4HAnYd6efJ3C
7I1crNAq7CeoUchKi5u10OQ1qU4XnFx7z3WySNPXZJOVXhz9abe2F/9cESh/jSr4
Zs9uzx9S6z6NC4p+yxFvssGu0phNHb1AcwqNogxs/W/D5tGZSebIL7TMFKqhCuxb
8WO+x2UjGhnRWOqShFVVIi9K2pKIzO6qpH1oU3/obVQrjV9NZ9hbrdV4/aU9/Coe
FLBe3rBMCvePSqaxhtDgTKVSxJAVtYctEBAsFa5ZCd08tqqPucQSeMNoy5/7mkAn
Wr8XFpKRKSKllX3xzY9NmtOeQczPB69AMoO6Xkh82Tt7Yy4WK+4a3/Zujn5IimyY
mv9hs9VW13S1j4qcG3XQVJ6XmnFA6KKqVW5qkmn4mi8K9OoC5+JxDuDKCwoce1mX
WIPm5aGsqVI=
=NHNa
-----END PGP SIGNATURE-----

« Back to bulletins