HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2008-140
Web Management Authentication Bypass vulnerability in Trend Micro Products

Original Issue Date: August 29, 2008

Severity Rating: High

Systems Affected

  • Trend Micro OfficeScan 7.0
  • Trend Micro OfficeScan 7.3
  • Trend Micro OfficeScan 8.0
  • Worry-Free Business Security 5.0
  • Trend Micro Client/Server/Messaging Suite 3.5
  • Trend Micro Client/Server/Messaging Suite 3.6

    NOTE: Other versions may also be affected

Overview

An Authentication bypass vulnerability has been reported in various Trend Micro products which could be exploited by an attacker to bypass the authentication layer provided by the Web Management Console in various Trend Micro products.

Description

 Session tokens are used to uniquely identify an authenticated user on an application and to keep track of the various states of the operations performed by the authenticated user.

This vulnerability is caused as a weak entropy is used create the Session Tokens which are used for identifying an authenticated manager using the web management console.

This vulnerability could be exploited by an attacker by impersonating a currently logged on manager by brute forcing the authentication token and to get the administrative control over the vulnerable application. After the administrative rights are gained by the attacker, an attacker could execute arbitrary code by changing the configuration of the vulnerable application.

Solution

Apply appropriate patched provided by the vendor

http://www.trendmicro.com/ftp/documentation/readme/OSCE_
8.0_SP1_Win_EN_CriticalPatch_B2402_readme.txt

Vendor Information

Trend Micro
http://www.trendmicro.com/ftp/documentation/readme/OSCE_8.0
_SP1_Win_EN_CriticalPatch_B2402_readme.txt

References

SecuriTeam
http://www.securiteam.com/windowsntfocus/5TP0L0KP5S.html

SecurityFocus
http://www.securityfocus.com/bid/30792/discuss

SecurityTracker
http://www.securitytracker.com/alerts/2008/Aug/1020732.html

CVE Name
CVE-2008-2433


Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003