Affected Version(s)

Solution

Trend Micro has created the following solution to address the issue:

Customers are encouraged to visit Trend Micro’s Download Center to obtain prerequisite software (such as Service Packs) before applying any of the solutions above.

Vulnerability Details

CVE-2020-8461:  CSRF Protection Bypass 
CVSSv3: 7.1: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L/E:F/RL:O/RC:C
A CSRF protection bypass vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to get a victim's browser to send a specifically encoded request without requiring a valid CSRF token. 

CVE-2020-8462, CVE-2020-27010:  Cross-Site Scripting
CVSSv3: 3.3: AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L
Cross-site scripting (XSS) vulnerabilities in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to tamper with the web interface of the product.

CVE-2020-8463:  Authorization Bypass
CVSSv3: 8.2: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:F/RL:O/RC:C
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to bypass a global authorization check for anonymous users by manipulating request paths.

CVE-2020-8464:  Authentication Bypass/SSRF
CVSSv3: 8.2: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:F/RL:O/RC:C
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to send requests that appear to come from the localhost which could expose the product's admin interface to users who would not normally have access.

CVE-2020-8465:  Command Execution
CVSSv3: 8.2: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:F/RL:O/RC:C
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to manipulate system updates using a combination of CSRF bypass (CVE-2020-8461) and authentication bypass (CVE-2020-8464) to execute code as user root.

CVE-2020-8466:  Unauthenticated Command Injection
CVSSv3: 8.2: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:F/RL:O/RC:C
A command injection vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2, with the improved password hashing method enabled, could allow an unauthenticated attacker to execute certain commands by providing a manipulated password.

 

Mitigating Factors

Exploiting these type of vulnerabilities generally require that an attacker has access (physical or remote) to a vulnerable machine. In addition to timely application of patches and updated solutions, customers are also advised to review remote access to critical systems and ensure policies and perimeter security is up-to-date.

As a matter of best practice to help protect against unauthorized access to the product admin console, the following mitigations are also recommended:

1.  Enable Management Access Control in IWSVA to set ACLs that restrict access to the management console to a specific IP or IP range that are trusted in your organization.
2.  Utilize other security tools in the environment (e.g. firewall) to limit IP access to the IWSVA management console.

Acknowledgement

Trend Micro would like to thank the following individuals for responsibly disclosing these issues and working with Trend Micro to help protect our customers:

• W. Ettlinger of SEC Consult Vulnerability Lab  (CVE-2020-8461 through 8466)
• Srinivasan Rajagopalan (CVE-2020-27010)

External Reference(s)

• SEC-Consult Security Advisory