SNS Advisory No.29 Trend Micro Virus Control System(VCS) Unauthenticated CGI Usage Vulnerability Problem first discovered: 25 May 2001 Published: 7 Jun 2001 Last Updated: 7 Jun 2001 ---------------------------------------------------------------------- Overview -------- The vulnerability was found in a CGI program included in TrendMicro Virus Control System(VCS). It may be possible for a remote user to access administrative program and data without authentication. Problem ------- VCS is a software package designed to operate and manage anti virus product included in gateways, file servers, groupwares and clients. In order to manage VCS, an administrator accesses with following URL. http://VCSServer/tvcs/EnterPassword.html Password for its administrator is required then normally. By calling a certain CGI program with unusual way, it is possible to change its configuration and view configuration files. Details can not be disclosed now because it has not been fixed yet and it will not be fixed immediately. Tested Version -------------- Virus Control System(VCS) Ver.1.8 Japanese Virus Control System(VCS) Ver.1.8 English Tested OS --------- Windows 2000 Server Japanese Windows 2000 Server English Patch Information ----------------- No patches are available now. Trend Micro support team responded that this problem will be fixed end of this year. Until the patch will be released, set up access control to refuse access to servers in which VCS is installed by non-administrative user. Discovered by ------------- MIWA Nobuo (LAC / n-miwaat_private) Disclaimer ----------- All information in this advisories are subject to change without any advanced notices neither mutual consensus, and each of them is released as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences caused by applying those information. References ---------- Archive of this advisory: http://www.lac.co.jp/security/english/snsadv_e/29_e.html SNS Advisory: http://www.lac.co.jp/security/english/snsadv_e/ LAC: http://www.lac.co.jp/security/english/ ------------------------------------------------------------------ Secure Net Service(SNS) Security Advisory <snsadvat_private> Computer Security Laboratory, LAC http://www.lac.co.jp/security/
This archive was generated by hypermail 2b30 : Fri Jun 08 2001 - 08:46:44 PDT