SynopsisThe remote host is affected by multiple vulnerabilities.
DescriptionThe version of Trend Micro InterScan Web Security Virtual Appliance (IWSVA) installed on the remote host is 6.5 prior to 6.5 Build 1746.
It is, therefore, affected by multiple vulnerabilities :
- Multiple access control issues exist that allow an authenticated, remote attacker with low privileges to modify FTP access control, create or modify reports, or upload an HTTPS decryption certificate and private key.
- A flaw exists in the management of certain key and certificate data. By default, IWSVA acts as a private certificate authority (CA) and dynamically generates digital certificates that are sent to client browsers to complete a secure passage for HTTPS connections.
It also allows administrators to upload their own certificates signed by a root CA. An authenticated, remote attacker with low privileges can download the current CA certificate and private key (either the default ones or ones uploaded by administrators) and use those to decrypt HTTPS traffic, resulting in a loss of confidentiality. Furthermore, the default private key on the appliance is encrypted with a very weak passphrase. The attacker can exploit this to likewise break the encryption protections. (CVE-2017-6339)
- A cross-site scripting (XSS) vulnerability exists in rest/commonlog/report/template due to improper sanitization of user-supplied input to the name field.
- Additionally, other vulnerabilities have been reported, the most serious of which allow an unauthenticated, remote attacker to inject commands or execute arbitrary code.
SolutionUpgrade to Trend Micro IWSVA version 6.5 Build 1746 or later.