Trend Micro IWSVA 6.5 < 6.5 Build 1746 Multiple Vulnerabilities

Critical Nessus Plugin ID 99248

Synopsis

The remote host is affected by multiple vulnerabilities.

Description

The version of Trend Micro InterScan Web Security Virtual Appliance (IWSVA) installed on the remote host is 6.5 prior to 6.5 Build 1746.
It is, therefore, affected by multiple vulnerabilities :

- Multiple access control issues exist that allow an authenticated, remote attacker with low privileges to modify FTP access control, create or modify reports, or upload an HTTPS decryption certificate and private key.
(CVE-2017-6338)

- A flaw exists in the management of certain key and certificate data. By default, IWSVA acts as a private certificate authority (CA) and dynamically generates digital certificates that are sent to client browsers to complete a secure passage for HTTPS connections.
It also allows administrators to upload their own certificates signed by a root CA. An authenticated, remote attacker with low privileges can download the current CA certificate and private key (either the default ones or ones uploaded by administrators) and use those to decrypt HTTPS traffic, resulting in a loss of confidentiality. Furthermore, the default private key on the appliance is encrypted with a very weak passphrase. The attacker can exploit this to likewise break the encryption protections. (CVE-2017-6339)

- A cross-site scripting (XSS) vulnerability exists in rest/commonlog/report/template due to improper sanitization of user-supplied input to the name field.
An authenticated, remote attacker with low privileges can exploit this to inject arbitrary JavaScript while creating a new report. Furthermore, due to incorrect access controls, the attacker can exploit this issue to create or modify reports, allowing arbitrary script code to be executed in a user's browser session when the user visits report or auditlog pages.
(CVE-2017-6340)

- Additionally, other vulnerabilities have been reported, the most serious of which allow an unauthenticated, remote attacker to inject commands or execute arbitrary code.

Solution

Upgrade to Trend Micro IWSVA version 6.5 Build 1746 or later.

See Also

https://success.trendmicro.com/solution/1116960

https://www.zerodayinitiative.com/advisories/ZDI-17-193/

https://www.zerodayinitiative.com/advisories/ZDI-17-194/

https://www.zerodayinitiative.com/advisories/ZDI-17-195/

https://www.zerodayinitiative.com/advisories/ZDI-17-196/

https://www.zerodayinitiative.com/advisories/ZDI-17-197/

https://www.zerodayinitiative.com/advisories/ZDI-17-198/

https://www.zerodayinitiative.com/advisories/ZDI-17-199/

https://www.zerodayinitiative.com/advisories/ZDI-17-200/

https://www.zerodayinitiative.com/advisories/ZDI-17-201/

https://www.zerodayinitiative.com/advisories/ZDI-17-202/

https://www.zerodayinitiative.com/advisories/ZDI-17-203/

https://www.zerodayinitiative.com/advisories/ZDI-17-204/

https://www.zerodayinitiative.com/advisories/ZDI-17-205/

https://www.zerodayinitiative.com/advisories/ZDI-17-206/

https://www.zerodayinitiative.com/advisories/ZDI-17-207/

https://www.zerodayinitiative.com/advisories/ZDI-17-208/

https://www.zerodayinitiative.com/advisories/ZDI-17-209/

https://www.zerodayinitiative.com/advisories/ZDI-17-210/

https://www.zerodayinitiative.com/advisories/ZDI-17-211/

https://www.zerodayinitiative.com/advisories/ZDI-17-212/

https://www.zerodayinitiative.com/advisories/ZDI-17-213/

https://www.zerodayinitiative.com/advisories/ZDI-17-214/

https://www.zerodayinitiative.com/advisories/ZDI-17-215/

https://www.zerodayinitiative.com/advisories/ZDI-17-216/

https://www.zerodayinitiative.com/advisories/ZDI-17-217/

https://www.zerodayinitiative.com/advisories/ZDI-17-218/

https://www.zerodayinitiative.com/advisories/ZDI-17-219/

https://www.zerodayinitiative.com/advisories/ZDI-17-220/

https://www.zerodayinitiative.com/advisories/ZDI-17-221/

https://www.zerodayinitiative.com/advisories/ZDI-17-222/

https://www.zerodayinitiative.com/advisories/ZDI-17-223/

https://www.zerodayinitiative.com/advisories/ZDI-17-224/

https://www.zerodayinitiative.com/advisories/ZDI-17-225/

https://www.zerodayinitiative.com/advisories/ZDI-17-226/

https://www.zerodayinitiative.com/advisories/ZDI-17-227/

https://www.zerodayinitiative.com/advisories/ZDI-17-228/

https://www.zerodayinitiative.com/advisories/ZDI-17-229/

https://www.zerodayinitiative.com/advisories/ZDI-17-230/

https://www.zerodayinitiative.com/advisories/ZDI-17-231/

https://www.zerodayinitiative.com/advisories/ZDI-17-232/

https://www.zerodayinitiative.com/advisories/ZDI-17-233/

Plugin Details

Severity: Critical

ID: 99248

File Name: trendmicro_iwsva_6_5_1746.nasl

Version: 1.5

Type: local

Family: Firewalls

Published: 2017/04/07

Modified: 2018/11/15

Dependencies: 82592

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:trendmicro:interscan_web_security_virtual_appliance

Required KB Items: Host/TrendMicro/IWSVA/version

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2017/03/28

Vulnerability Publication Date: 2017/03/28

Reference Information

CVE: CVE-2017-6338, CVE-2017-6339, CVE-2017-6340

ZDI: ZDI-17-193, ZDI-17-194, ZDI-17-195, ZDI-17-196, ZDI-17-197, ZDI-17-198, ZDI-17-199, ZDI-17-200, ZDI-17-201, ZDI-17-202, ZDI-17-203, ZDI-17-204, ZDI-17-205, ZDI-17-206, ZDI-17-207, ZDI-17-208, ZDI-17-209, ZDI-17-210, ZDI-17-211, ZDI-17-212, ZDI-17-213, ZDI-17-214, ZDI-17-215, ZDI-17-216, ZDI-17-217, ZDI-17-218, ZDI-17-219, ZDI-17-220, ZDI-17-221, ZDI-17-222, ZDI-17-223, ZDI-17-224, ZDI-17-225, ZDI-17-226, ZDI-17-227, ZDI-17-228, ZDI-17-229, ZDI-17-230, ZDI-17-231, ZDI-17-232, ZDI-17-233