Affected Version(s)

Solution

Trend Micro has released the following solutions to address the issues:

This is the minimum version(s) of the patch and/or build required to address the issue. Trend Micro highly encourages customers to obtain the latest version of the product if there is a newer one available than the one listed in this bulletin.

Customers are encouraged to visit Trend Micro’s Download Center to obtain prerequisite software (such as Service Packs) before applying any of the solutions above.

Vulnerability Details

This update resolves multiple vulnerabilities in Trend Micro Email Encryption Gateway 5.5:

1. CVE-2018-6219: Insecure Update via HTTP.
2. CVE-2018-6220: Arbitrary file write leading to command execution.
3. CVE-2018-6221: Unvalidated Software Updates.
4. CVE-2018-6222:  Arbitrary logs locations leading to command execution.
5. CVE-2018-6223:  Missing authentication for appliance registration.
6. CVE-2018-6225:  XML external entity injection in a configuration script.
7. CVE-2018-6226:  Reflected cross-site scripting in two configuration scripts.
8. CVE-2018-6227:  Stored cross-site scripting in a policy script.
9. CVE-2018-6228:  SQL injection in a policy script.
10. CVE-2018-6229:  SQL injection in an edit policy script.
11. CVE-2018-10356:  SQL injection remote code execution in requestDomains.

Please note that there were several additional vulnerabilities reported to Trend Micro; however due to the negative impact of implementing the proposed fixes on the product’s critical normal functions, Trend Micro has decided that these will not be addressed in the current iteration of the product.  More information can be found in the Mitigating Factors section below.  

• *CVE-2018-6224: Lack of cross-site request forgery protection.
• *CVE-2018-6230:  SQL injection in a search configuration script.
• *CVE-2018-10351: SQL injection in client registration script.
• *CVE-2018-10352: SQL injection in formConfiguration.
• *CVE-2018-10353: SQL injection Information Disclosure vulnerability.
• *CVE-2018-10354: Blacklist command injection vulnerability leading to Remote Command Execution.
• *CVE-2018-10355: DBCrypto authentication weakness vulnerability.

Due to the seriousness of these vulnerabilities, customers are highly encouraged to update to the latest build as soon as possible.

Mitigating Factors

Exploiting these type of vulnerabilities generally require that an attacker has access (physical or remote) to a vulnerable machine. In addition to timely application of patches and updated solutions, customers are also advised to review remote access to critical systems and ensure policies and perimeter security is up-to-date.

However, even though an exploit may require several specific conditions to be met, Trend Micro strongly encourages customers to update to the latest builds as soon as possible.

*Specifically for the vulnerabilities listed above that will not be immediately addressed, Trend Micro recommends the following mitigating steps to reduce any potential risk from these vulnerabilities:

• CVE-2018-6224  - it was reported that this vulnerability could be chained with at least 3 other vulnerabilities listed above to lead to remote command execution.  The latest TMMEG build addresses the 3 other vulnerabilities, which should negate the ability to attain remote command execution using this vulnerability.
• CVE-2018-10353 – even though this was not directly addressed, the latest build resolves CVE-2018-6223, which in effect prevents an attacker from accessing the necessary configuration file to setup the SQL injection attack; thus, negating it.
• In addition, for the following vulnerabilities: CVE-2018-6224, CVE-2018-6230, CVE-2018-10351, CVE-2018-10352, CVE-2018-10354 and CVE-2018-10355 -- the affected components are located in the TMEEG web console, which by design is not generally internet-facing and is usually configured for the administrator to only access within the intranet.  A recommendation to help mitigate exposure and exploit risk is to ensure that the web console is secured on the intranet only and with limited access (e.g. assign allowed-access network segment via IP range for example).  

Migration Options

TMEEG customers looking for comparable features and functionality in newer product technology are encouraged to look at Trend Micro InterScan Messaging Security (Virtual Appliance) with the encryption module.  

TMEEG customers looking to migrate to InterScan Messaging Security (Virtual Appliance) should contact their Trend Micro account team for more information.

Acknowledgement

Trend Micro would like to thank the following individuals for responsibly disclosing these issues and working with Trend Micro to help protect our customers:

• Leandro Barragan and Maximiliano Vidal working with Core Security Consulting Services
• Vahagn Vardanyan
• Steven Seeley of Source Incite working with Trend Micro's Zero Day Initiative

External Reference(s)

The following advisories may be found by visiting the following sites:

• CVEs - https://cve.mitre.org/cve/cve.html
• ZDI Adivsories - Trend Micro's Zero Day Initiative Published Advisories