Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

SECURITY BULLETIN: Trend Micro Email Encryption Gateway 5.5 Multiple Vulnerabilities

    • Updated:
    • 4 May 2018
    • Product/Version:
    • Email Encryption Gateway 5.5
    • Platform:
    • Virtual Appliance 5.1
Summary
Release Date: February 21, 2018
Updated: May 3, 2018
CVE Vulnerability Identifier(s): CVE-2018-6219 -- 6230; CVE-2018-10351 -- 10355
Platform(s): Virtual Appliance
CVSS 3.0 Score(s): 3.8 - 9.1
Severity Rating(s): Low, Medium, High and Critical

Trend Micro has released a new build for Trend Micro Email Encryption Gateway (TMEEG) 5.5 which resolves multiple vulnerabilities in the product.

Details
Public
Solution:

Affected Version(s)

ProductAffected Version(s)PlatformLanguage(s)
Email Encryption GatewayVersion 5.5 Build 1111 and belowVirtual ApplianceEnglish

Solution

Trend Micro has released the following solutions to address the issues:

ProductUpdated versionPlatformAvailability
Email Encryption GatewayVersion 5.5 Build 1129Virtual ApplianceNow Available

This is the minimum version(s) of the patch and/or build required to address the issue. Trend Micro highly encourages customers to obtain the latest version of the product if there is a newer one available than the one listed in this bulletin.

Customers are encouraged to visit Trend Micro’s Download Center to obtain prerequisite software (such as Service Packs) before applying any of the solutions above.

 

Vulnerability Details

This update resolves multiple vulnerabilities in Trend Micro Email Encryption Gateway 5.5:

 

  1. CVE-2018-6219: Insecure Update via HTTP.
  2. CVE-2018-6220: Arbitrary file write leading to command execution.
  3. CVE-2018-6221: Unvalidated Software Updates.
  4. CVE-2018-6222:  Arbitrary logs locations leading to command execution.
  5. CVE-2018-6223:  Missing authentication for appliance registration.
  6. CVE-2018-6225:  XML external entity injection in a configuration script.
  7. CVE-2018-6226:  Reflected cross-site scripting in two configuration scripts.
  8. CVE-2018-6227:  Stored cross-site scripting in a policy script.
  9. CVE-2018-6228:  SQL injection in a policy script.
  10. CVE-2018-6229:  SQL injection in an edit policy script.
  11. CVE-2018-10356:  SQL injection remote code execution in requestDomains.

 

Please note that there were several additional vulnerabilities reported to Trend Micro; however due to the negative impact of implementing the proposed fixes on the product’s critical normal functions, Trend Micro has decided that these will not be addressed in the current iteration of the product.  More information can be found in the Mitigating Factors section below.  

  • *CVE-2018-6224: Lack of cross-site request forgery protection.
  • *CVE-2018-6230:  SQL injection in a search configuration script.
  • *CVE-2018-10351: SQL injection in client registration script.
  • *CVE-2018-10352: SQL injection in formConfiguration.
  • *CVE-2018-10353: SQL injection Information Disclosure vulnerability.
  • *CVE-2018-10354: Blacklist command injection vulnerability leading to Remote Command Execution.
  • *CVE-2018-10355: DBCrypto authentication weakness vulnerability.

Due to the seriousness of these vulnerabilities, customers are highly encouraged to update to the latest build as soon as possible.

 

Mitigating Factors

Exploiting these type of vulnerabilities generally require that an attacker has access (physical or remote) to a vulnerable machine. In addition to timely application of patches and updated solutions, customers are also advised to review remote access to critical systems and ensure policies and perimeter security is up-to-date.

However, even though an exploit may require several specific conditions to be met, Trend Micro strongly encourages customers to update to the latest builds as soon as possible.

*Specifically for the vulnerabilities listed above that will not be immediately addressed, Trend Micro recommends the following mitigating steps to reduce any potential risk from these vulnerabilities:

  • CVE-2018-6224  - it was reported that this vulnerability could be chained with at least 3 other vulnerabilities listed above to lead to remote command execution.  The latest TMMEG build addresses the 3 other vulnerabilities, which should negate the ability to attain remote command execution using this vulnerability.
  • CVE-2018-10353 – even though this was not directly addressed, the latest build resolves CVE-2018-6223, which in effect prevents an attacker from accessing the necessary configuration file to setup the SQL injection attack; thus, negating it.
  • In addition, for the following vulnerabilities: CVE-2018-6224, CVE-2018-6230, CVE-2018-10351, CVE-2018-10352, CVE-2018-10354 and CVE-2018-10355 -- the affected components are located in the TMEEG web console, which by design is not generally internet-facing and is usually configured for the administrator to only access within the intranet.  A recommendation to help mitigate exposure and exploit risk is to ensure that the web console is secured on the intranet only and with limited access (e.g. assign allowed-access network segment via IP range for example).  

 

Migration Options

TMEEG customers looking for comparable features and functionality in newer product technology are encouraged to look at Trend Micro InterScan Messaging Security (Virtual Appliance) with the encryption module.  

TMEEG customers looking to migrate to InterScan Messaging Security (Virtual Appliance) should contact their Trend Micro account team for more information.

 

Acknowledgement

Trend Micro would like to thank the following individuals for responsibly disclosing these issues and working with Trend Micro to help protect our customers:

  • Leandro Barragan and Maximiliano Vidal working with Core Security Consulting Services
  • Vahagn Vardanyan
  • Steven Seeley of Source Incite working with Trend Micro's Zero Day Initiative

 

External Reference(s)

The following advisories may be found by visiting the following sites:

CVEZDI Case(s)
CVE-2018-10351ZDI-18-415
CVE-2018-10352 ZDI-18-418
CVE-2018-10353ZDI-18-419
CVE-2018-10354ZDI-18-416
CVE-2018-10355ZDI-18-411
CVE-2018-10356ZDI-18-420
CVE-2018-6229ZDI-18-414
CVE-2018-6223ZDI-18-412
CVE-2018-6230ZDI-18-417
CVE-2018-6229ZDI-18-413
Premium
Internal
Rating:
Category:
Migrate
Solution Id:
1119349
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.