ScanMail for Microsoft Exchange uses a random number generator that generates predictable numbers for session ID to be used in logging into the web console. This makes it easier for the remote attackers to conduct brute force guessing attacks to get the web session ID.
Trend Micro has released hot fixes to resolve this issue. The following hot fixes enable SMEX to generate longer session IDs using a combination of letters, numbers, and characters.
- For SMEX 10.2 - Hot Fix Build 3318
- For SMEX 11.0 - Hot Fix Build 4180
To get the appropriate hot fix, contact Trend Micro Technical Support.
Trend Micro would like to thank Roberto Suggi Liverani / NCIA for responsibly disclosing this issue and working with Trend Micro to help protect our customers.