HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2008-169
Trend Micro OfficeScan CGI Parsing Buffer Overflow Vulnerability

Original Issue Date:October 24, 2008

Severity Rating: Medium

Systems Affected

  • Trend Micro OfficeScan 8.0 SP 1 Patch 1
  • Trend Micro OfficeScan 7.3

Overview

A vulnerability has been reported in Trend Micro OfficeScan which could allow local network attacker to compromise a vulnerable system.

Description

 A buffer overflow vulnerability has been reported in Trend Micro OfficeScan. This vulnerability is caused due to improper boundary check on user supplied data when copied it into an insufficient sized buffer memory, which could cause a stack-based buffer overflow via specially crafted form data HTTP request supplied to Trend Micro OfficeScan server CGI module. Successful exploitation of this vulnerability could allow an attacker to execute an arbitrary code within the context of the affected application and to compromise the vulnerable system.

Solution

Apply appropriate patches as mentioned in Trend Micro OfficeScan patch release.

Trend Micro OfficeScan 8.0 SP1 Patch 1:
http://www.trendmicro.com/ftp/documentation/readme/
OSCE_8.0_sp1p1_CriticalPatch_B3110_readme.txt

Trend Micro OfficeScan 7.3:
http://www.trendmicro.com/ftp/documentation/readme/
OSCE_7.3_CriticalPatch_B1374_readme.txt

Vendor Information

Trend Micro
http://www.trendmicro.com/ftp/documentation/readme/
OSCE_8.0_sp1p1_CriticalPatch_B3110_readme.txt
http://www.trendmicro.com/ftp/documentation/readme/
OSCE_7.3_CriticalPatch_B1374_readme.txt


References

 Trend Micro
http://www.trendmicro.com/ftp/documentation/readme/
OSCE_8.0_sp1p1_CriticalPatch_B3110_readme.txt
http://www.trendmicro.com/ftp/documentation/readme/
OSCE_7.3_CriticalPatch_B1374_readme.txt

Secunia
http://secunia.com/advisories/32005/

SecurityFocus
http://www.securityfocus.com/bid/31859

CVE Name
CVE-2008-3862


Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003