MiTM and remote code vulnerabilities found in Trend Micro ServerProtect

News by Rene Millman

Researchers from Core Security discovered multiple vulnerabilities in the web-based management console of Trend Micro ServerProtect.

Flaws in Trend Micro's ServerProtect product could enable criminals to mount a man-in-the-middle attack or run remote code as root.

According to a security advisory by Core Security, vulnerabilities were found in the ServerProtect for Linux update mechanism, allowing remote code execution as root.

Researchers said that there were two ways to carry this out: one via a man-in-the-middle attack and another one via exploiting vulnerabilities in the web-based management console that is bundled with the product.

The vulnerable product itself is Trend Micro ServerProtect for Linux 3.0-1061 with SP1 patch 7. The software it used to protect Linux computers from viruses, rootkits and data-stealing malware “while simplifying and automating security operations on servers and storage systems,” according to Trend Micro. 

The researchers said that there was an insecure update mechanism that allows an attacker to overwrite sensitive files, including binaries, and achieve remote code execution as root.

All communication with update servers from the product are unencrypted, meaning hackers can intercept data and read it easily without having to crack any encryption. It doesn't use HTTPS when it should do.

“This means that the product does not do any kind of certificate validation or public key pinning, which makes it easier for an attacker to eavesdrop and tamper [with] the data,” said researchers.

The update packages are not signed or validated in any form other than matching the expected size described in the server.ini file.

“An attacker can overwrite sensitive files in the ServerProtect's directory, including shared libraries. Some interesting examples are the and files, which result in code execution in the context of the application, which is running as root,” said researchers.

Also discovered were two issues that were vulnerable to cross-site scripting. They also said that the web-based management console allowed users to set the quarantine directory to any location on the file system. An unauthenticated user could also change quarantine directory settings by exploiting vulnerabilities mentioned earlier. Files flagged as suspicious by the scanner are then moved to that directory without changing its name.

“Quarantine files are owned by root and its permissions are changed to 0600. This effectively allows a local user to write the file that is put in quarantine to an arbitrary location with root permissions, which could lead to privilege escalation. Being able to write to the file system as root opens the door to several privilege escalation vectors on Linux machines,” said the advisory.

“During the next scan, that file will be flagged as a virus (it contains EICAR test file as part of it), and it will be written by root to the directory we have chosen as the Quarantine directory, effectively placing it on /etc/cron.d. When the cron job gets triggered, /tmp/test is executed as root,” researchers warned.

Trend Micro was able to patch the flaw before the vulnerability went public.

Javvad Malik, security advocate at AlienVault, told SC Media UK, that this is another good example of responsible and coordinated disclosure with details of the vulnerability not being released until after Trend Micro had a chance to validate and issue a patch.

“Customers that haven't downloaded and applied the patch should do so not just for this product, but in line with maintaining patching on all products and infrastructure. While some vulnerabilities may appear trivial, they could provide an opening for attackers looking to gain a foothold within an enterprise from where they can move across to other sensitive systems,” he said.

“Due to this persistent threat, organisation should deploy threat detection and response controls that continually look across the network, hosts, and cloud infrastructure to monitor for suspicious or unusual activity that could be indicative of an attack.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews