TITLE: Trend Micro ServerProtect Multiple Vulnerabilities SECUNIA ADVISORY ID: SA18038 VERIFY ADVISORY: http://secunia.com/advisories/18038/ CRITICAL: Moderately critical IMPACT: Exposure of system information, Exposure of sensitive information, DoS, System access WHERE: >From local network SOFTWARE: Trend Micro Control Manager (TMCM) 3.x http://secunia.com/product/4468/ Trend Micro Damage Cleanup Server 1.x http://secunia.com/product/1853/ Trend Micro ServerProtect for Windows/NetWare 5.x http://secunia.com/product/1153/ DESCRIPTION: Some vulnerabilities have been reported in Trend Micro ServerProtect, which can be exploited by malicious people to cause a DoS (Denial of Service), disclose potentially sensitive information, and potentially to compromise a vulnerable system. 1) An error exists in the EarthAgent daemon when handling specially crafted data received via port 5005/tcp. This can be exploited to cause the daemon to consume large amount of CPU and memory resources, potentially causing a DoS. 2) A boundary error exists in the "/TVCS/relay.dll" and "/ControlManager/cgi-bin/VA/isaNVWRequest.dll" ISAPI of the Management Console when handling POST requests containing chunked encoding with an overly large length value. This can be exploited to cause a heap-based buffer overflow and can potentially allow arbitrary code execution. The vulnerability may be caused due to an error in the linked Microsoft Foundation Classes (MFC) static libraries. 3) Input passed to the "IMAGE" parameter in "rptserver.asp" of the Management Console isn't properly sanitised before being used as a filename to display the specified file using the Crystal Reports ActiveX object. This can be exploited to disclose the contents of arbitrary files outside the system temporary directory via directory traversal attacks. The vulnerabilities have been reported in Trend Micro ServerProtect for Windows Management Console 5.58 running with Trend Micro Control Manager 2.5/3.0 and Trend Micro Damage Cleanup Server 1.1. Other versions may also be affected. SOLUTION: Apply hotfix for vulnerability #1. http://kb.trendmicro.com/solutions/search/main/search/solutionDetail.asp?solutionID=25254 Vulnerability #2 will reportedly be fixed in the next version. The vendor recommends using the URLScan tool from Microsoft to block requests containing chunked encoding as a workaround. The vendor is reportedly working with Crystal Report for a resolution for vulnerability #3. Users can contact the vendor's customer support for workaround recommendations. PROVIDED AND/OR DISCOVERED BY: Discovered by anonymous and reported via iDEFENSE. ORIGINAL ADVISORY: Trend Micro: http://kb.trendmicro.com/solutions/search/main/search/solutionDetail.asp?solutionID=25254 iDEFENSE: http://www.idefense.com/application/poi/display?id=356&type=vulnerabilities http://www.idefense.com/application/poi/display?id=354&type=vulnerabilities http://www.idefense.com/application/poi/display?id=353&type=vulnerabilities http://www.idefense.com/application/poi/display?id=352&type=vulnerabilities ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------