CVE Vulnerability Identifier(s): CVE-2018-6219 through CVE-2018-6230
Platform(s): Virtual Appliance
CVSS 3.0 Score(s): 3.8 - 9.1
Severity Rating(s): Low, Medium, High and Critical
Trend Micro has released a new build for Trend Micro Email Encryption Gateway (TMEEG) 5.5 which resolves multiple vulnerabilities in the product.
|Email Encryption Gateway||Version 5.5 Build 1111 and below||Virtual Appliance||English|
Trend Micro has released the following solutions to address the issues:
|Email Encryption Gateway||Version 5.5 Build 1129||Virtual Appliance||Now Available|
This is the minimum version(s) of the patch and/or build required to address the issue. Trend Micro highly encourages customers to obtain the latest version of the product if there is a newer one available than the one listed in this bulletin.
Customers are encouraged to visit Trend Micro’s Download Center to obtain prerequisite software (such as Service Packs) before applying any of the solutions above.
This update resolves multiple vulnerabilities in Trend Micro Email Encryption Gateway 5.5:
- CVE-2018-6219: Insecure Update via HTTP (CVSS 7.5).
- CVE-2018-6220: Arbitrary file write leading to command execution (CVSS 7.5).
- CVE-2018-6221: Unvalidated Software Updates (CVSS 7.5).
- CVE-2018-6222: Arbitrary logs locations leading to command execution (CVSS 7.2).
- CVE-2018-6223: Missing authentication for appliance registration (CVSS 9.1).
- CVE-2018-6225: XML external entity injection in a configuration script (CVSS 5.5).
- CVE-2018-6226: Reflected cross-site scripting in two configuration scripts (CVSS 7.4).
- CVE-2018-6227: Stored cross-site scripting in a policy script (CVSS 7.4).
- CVE-2018-6228: SQL injection in a policy script (CVSS 4.9).
- CVE-2018-6229: SQL injection in an edit policy script (CVSS 6.5).
Please note that there were two additional vulnerabilities reported to Trend Micro; however due to the negative impact of implementing the proposed fixes on the product’s critical normal functions, Trend Micro has decided that these will not be addressed in the current iteration of the product. More information can be found in the Mitigating Factors section below.
- *CVE-2018-6224: Lack of cross-site request forgery protection (CVSS 6.8).
- *CVE-2018-6230: SQL injection in a search configuration script (CVSS 3.8).
Due to the seriousness of these vulnerabilities, customers are highly encouraged to update to the latest build as soon as possible.
Exploiting these type of vulnerabilities generally require that an attacker has access (physical or remote) to a vulnerable machine. In addition to timely application of patches and updated solutions, customers are also advised to review remote access to critical systems and ensure policies and perimeter security is up-to-date.
However, even though an exploit may require several specific conditions to be met, Trend Micro strongly encourages customers to update to the latest builds as soon as possible.
*Specifically for the two vulnerabilities listed above that will not be immediately addressed, Trend Micro recommends the following mitigating steps to reduce any potential risk from these vulnerabilities:
- CVE-2018-6224 (Lack of cross-site request forgery protection) - it was reported that this vulnerability could be chained with at least 3 other vulnerabilities listed above to lead to remote command execution. The latest TMMEG build addresses the 3 other vulnerabilities, which should negate the ability to attain remote command execution using this vulnerability.
- In addition, for both CVE-2018-6224 and CVS-2018-6230 (SQL injection in a search configuration script) - the affected components are located in the TMEEG web console, which by design is not generally internet-facing and is usually configured for the administrator to only access within the intranet. A recommendation to help mitigate exposure and exploit risk is to ensure that the web console is secured on the intranet only and with limited access (e.g. assign allowed-access network segment via IP range for example).
TMEEG End-of-Life (EOL) and Recommended Migration Path
As mentioned above, Trend Micro Email Encryption Gateway (TMEEG) will be going through its formal end-of-life (EOL) process in the coming weeks. The recommended migration path for TMEEG customers looking for comparable features and functionality is Trend Micro InterScan Messaging Security (Virtual Appliance) with the encryption module.
TMEEG customers looking to migrate to InterScan Messaging Security (Virtual Appliance) should contact their Trend Micro account team for more information.
Trend Micro would like to thank the following individuals for responsibly disclosing these issues and working with Trend Micro to help protect our customers:
- Leandro Barragan and Maximiliano Vidal working with Core Security Consulting Services
- Vahagn Vardanyan