Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2017.0029 Multiple Vulnerabilities in Trend Micro Control Manager (TMCM) 6.0 24 March 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Trend Micro Control Manager (TMCM) Operating System: Windows Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Access Confidential Data -- Existing Account Resolution: Patch/Upgrade Member content until: Sunday, April 23 2017 OVERVIEW Multiple vulnerabilities have been identified in Trend Micro Control Manager (TMCM) prior to version 6.0 build 3560. [1] IMPACT Trend Micro have provided the following details regarding the vunlnerabilities: "Release Date: March 21, 2017 Trend Micro Vulnerability Identifier(s): 2016-0033, 0117, VRTS-193, 143, 145 Platform(s): Windows CVSS 2.0 Score(s): 6.0 CVSS 3.0 Score(s): 4.3-6.5 Severity Rating(s): Medium Trend Micro has released a new build of Trend Micro Control Manager 6.0. This build resolves multiple vulnerabilities which could potentially allow a remote attacker to execute arbitrary code on vulnerable installations. Acknowledgement Trend Micro would like to thank the following individuals for responsibly disclosing these issues and working with Trend Micro to help protect our customers: Steven Seeley of Source Incite working with Trend Micro's Zero Day Initiative[2][3][4][5][6][7][8][9] Spyridon Chatzimichail of OTE Hellenic Telecommunications Organization S.A Vincent Hutsebaut of NCIA / NCIRC" [1] MITIGATION Trend Micro have provided the following details regarding the vunlnerabilities: "Release Date: March 21, 2017 Trend Micro Vulnerability Identifier(s): 2016-0033, 0117, VRTS-193, 143, 145 Platform(s): Windows CVSS 2.0 Score(s): 6.0 CVSS 3.0 Score(s): 4.3-6.5 Severity Rating(s): Medium Trend Micro has released a new build of Trend Micro Control Manager 6.0. This build resolves multiple vulnerabilities which could potentially allow a remote attacker to execute arbitrary code on vulnerable installations. Acknowledgement Trend Micro would like to thank the following individuals for responsibly disclosing these issues and working with Trend Micro to help protect our customers: Steven Seeley of Source Incite working with Trend Micro's Zero Day Initiative[2][3][4][5][6][7][8][9] Spyridon Chatzimichail of OTE Hellenic Telecommunications Organization S.A Vincent Hutsebaut of NCIA / NCIRC"[1] REFERENCES [1] SECURITY BULLETIN: Multiple Vulnerabilities in Trend Micro Control Manager (TMCM) 6.0 https://success.trendmicro.com/solution/1116863 [2] Trend Micro Control Manager cgiCMUIDispatcher ManualDownloadResult SQL Injection Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-17-180/ [3] Trend Micro Control Manager CCGIServlet ID_QUERY_COMMAND_TRACKING_ID SQL Injection Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-17-181/ [4] Trend Micro Control Manager CCGIServlet ID_QUERY_COMMAND_TRACKING_ID SQL Injection Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-17-182/ [5] Trend Micro Control Manager CCGIServlet ID_HIDDEN_UG_STR SQL Injection Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-17-183/ [6] Trend Micro Control Manager CCGIServlet IDTB_SV parameters SQL Injection Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-17-183/ [7] Trend Micro Control Manager AdHocQueryExportProcessing SQL Injection Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-17-185/ [8] Trend Micro Control Manager CCGIServlet SpecialSpywarePolicyResult SQL Injection Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-17-186/ [9] Trend Micro InterScan Messaging Security Suite DetailReportAction Directory Traversal Information Disclosure Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-17-187/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWNRuvYx+lLeg9Ub1AQgGlg/+KYazk2bnZn5nns14vGjc4n4mvmQyIiIY CKrsSoZ0107yGyRxLOInPzdjIzF9ZrzkEJGhbve1pXnbJcQEzTV9iBsKb0LANmIF E82PiOf4OmvnZoLePMS49qCA3ba5ETY2ZrZ2o4p8Y1STAnEqnoaGB6/1tbCbrVMb YjZcyMXmTp2b/2QiXzHD0dURhpPg6dBQHYb5vAa7KviEgk6i/jN5/NY4MYL9dtMK Jsgx9d8WNRnIxNOG7j4ELuBj0IGeNqwPx4rdJ3lujJocK3ttq4E5ag9ODNlKGrNI nVSxSV2bZ+M8eBo2pmv4EExoV2Yv0+WKGgwz8RitxVa8JnmKJQzm3SoD2r78w+Mq rcowiyHzwDxwIl5najfbSwWWfS5KrO30zA2FLzIzhJdrOAH2/otdvbOGOXah/vLU /yytQlMWHU9MliChneaammJDfkBf4sCG3mxkwCHfgwT3yjso1msAg5dfLXst9MXY KWVU+45xzgPRpvVt25PIZ4TcYfVxTClQdT8JDsb5YlWweBmrLS/8YOkIE+IRkH3J pnk/4BlmoGyzhErUjM7oDn01BBcZCz1tFwzezZsSMO4QlA8haJDmvpw8IyTYCg/T jNs8m5aMzYw1oUMClnwZYpDztWr202r0INyBmmazRysglKoZEvSZohbKLX92L8Nt zFjXW4TPDzU= =NePS -----END PGP SIGNATURE-----