CVE Identifier(s): CVE-2020-8461 through 8466, CVE-2020-27010
Platform(s): Virtual Appliance
CVSS 3.0 Score(s): 3.3 - 8.2
Severity Rating(s): Low - High
Trend Micro has made a Critical Patch (CP) available for Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 SP2. This CP addresses multiple vulnerabilities related to CRSF protection bypass, cross-site scripting (XSS), authorization/authentication bypass, code execution and unauthenticated command injections.
Affected Version(s)
| Product | Affected Version(s) | Platform | Language(s) |
|---|---|---|---|
| IWSVA | 6.5 SP2 | Virtual Appliance | English |
Solution
Trend Micro has created the following solution to address the issue:
| Product | Updated version | Notes | Platform | Availability |
|---|---|---|---|---|
| IWSVA | 6.5 SP2 CP b1919 | Readme | Virtual Appliance | Available Now |
Customers are encouraged to visit Trend Micro’s Download Center to obtain prerequisite software (such as Service Packs) before applying any of the solutions above.
Vulnerability Details
CVE-2020-8461: CSRF Protection Bypass CVSSv3: 7.1: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L/E:F/RL:O/RC:C
A CSRF protection bypass vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to get a victim's browser to send a specifically encoded request without requiring a valid CSRF token.
CVE-2020-8462, CVE-2020-27010: Cross-Site Scripting
CVSSv3: 3.3: AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L
Cross-site scripting (XSS) vulnerabilities in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to tamper with the web interface of the product.
CVE-2020-8463: Authorization Bypass
CVSSv3: 8.2: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:F/RL:O/RC:C
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to bypass a global authorization check for anonymous users by manipulating request paths.
CVE-2020-8464: Authentication Bypass/SSRF
CVSSv3: 8.2: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:F/RL:O/RC:C
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to send requests that appear to come from the localhost which could expose the product's admin interface to users who would not normally have access.
CVE-2020-8465: Code Execution
CVSSv3: 8.2: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:F/RL:O/RC:C
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to manipulate system updates using a combination of CSRF bypass (CVE-2020-8461) and authentication bypass (CVE-2020-8464) to execute code as user root.
CVE-2020-8466: Unauthenticated Command Injection
CVSSv3: 8.2: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:F/RL:O/RC:C
A command injection vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2, with the improved password hashing method enabled, could allow an unauthenticated attacker to execute certain commands by providing a manipulated password.
Mitigating Factors
Exploiting these type of vulnerabilities generally require that an attacker has access (physical or remote) to a vulnerable machine. In addition to timely application of patches and updated solutions, customers are also advised to review remote access to critical systems and ensure policies and perimeter security is up-to-date.
As a matter of best practice to help protect against unauthorized access to the product admin console, the following mitigations are also recommended:
- Enable Management Access Control in IWSVA to set ACLs that restrict access to the management console to a specific IP or IP range that are trusted in your organization.
- Utilize other security tools in the environment (e.g. firewall) to limit IP access to the IWSVA management console.
Acknowledgement
Trend Micro would like to thank the following individuals for responsibly disclosing these issues and working with Trend Micro to help protect our customers:
- W. Ettlinger of SEC Consult Vulnerability Lab (CVE-2020-8461 through 8466)
- Srinivasan Rajagopalan (CVE-2020-27010)
