Lucene search

[email protected]CVE-2020-15605

HistoryAug 27, 2020 - 9:15 p.m.

CVE-2020-15605

2020-08-2721:15:12

CWE-287

[email protected]

web.nvd.nist.gov

cve-2020-15605

ldap

authentication

bypass

vulnerability

trend micro vulnerability protection 2.0 sp2

multi-factor authentication

manager authentication

saml authentication

5.1 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

8.1 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

71.8%

JSON

If LDAP authentication is enabled, an LDAP authentication bypass vulnerability in Trend Micro Vulnerability Protection 2.0 SP2 could allow an unauthenticated attacker with prior knowledge of the targeted organization to bypass manager authentication. Enabling multi-factor authentication prevents this attack. Installations using manager native authentication or SAML authentication are not impacted by this vulnerability.

Affected configurations

NVD

Node

trendmicrodeep_security_managerMatch10.0-

trendmicrodeep_security_managerMatch11.0-

trendmicrodeep_security_managerMatch12.0-

trendmicrovulnerability_protectionMatch2.0sp2

AND

microsoftwindowsMatch-

CPENameOperatorVersion
trendmicro:deep_security_managertrendmicro deep security managereq10.0
trendmicro:deep_security_managertrendmicro deep security managereq11.0
trendmicro:deep_security_managertrendmicro deep security managereq12.0
trendmicro:vulnerability_protectiontrendmicro vulnerability protectioneq2.0

CPE	Name	Operator	Version
trendmicro:deep_security_manager	trendmicro deep security manager	eq	10.0
trendmicro:deep_security_manager	trendmicro deep security manager	eq	11.0
trendmicro:deep_security_manager	trendmicro deep security manager	eq	12.0
trendmicro:vulnerability_protection	trendmicro vulnerability protection	eq	2.0

CNA Affected

[
  {
    "product": "Trend Micro Vulnerability Protection",
    "vendor": "Trend Micro",
    "versions": [
      {
        "status": "affected",
        "version": "2.0 SP2"
      }
    ]
  }
]

References

success.trendmicro.com/solution/000252039

www.zerodayinitiative.com/advisories/ZDI-20-1083/

5.1 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

8.1 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

71.8%

JSON

Related for CVE-2020-15605

nvd1 cvelist1 prion1 zdi1