SNS Advisory No.29 Trend Micro Virus Control System(VCS) Unauthenticated CGI Usage Vulnerability
Problem first discovered: 25 May 2001 Published: 7 Jun 2001 Last Updated: 7 Jun 2001
The vulnerability was found in a CGI program included in TrendMicro Virus Control System(VCS). It may be possible for a remote user to access administrative program and data without authentication.
VCS is a software package designed to operate and manage anti virus product included in gateways, file servers, groupwares and clients.
In order to manage VCS, an administrator accesses with following URL.
Password for its administrator is required then normally. By calling a certain CGI program with unusual way, it is possible to change its configuration and view configuration files.
Details can not be disclosed now because it has not been fixed yet and it will not be fixed immediately.
Virus Control System(VCS) Ver.1.8 Japanese Virus Control System(VCS) Ver.1.8 English
Windows 2000 Server Japanese Windows 2000 Server English
No patches are available now. Trend Micro support team responded that this problem will be fixed end of this year.
Until the patch will be released, set up access control to refuse access to servers in which VCS is installed by non-administrative user.
MIWA Nobuo (LAC / firstname.lastname@example.org)
All information in this advisories are subject to change without any advanced notices neither mutual consensus, and each of them is released as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences caused by applying those information.
Archive of this advisory: http://www.lac.co.jp/security/english/snsadv_e/29_e.html
SNS Advisory: http://www.lac.co.jp/security/english/snsadv_e/
Secure Net Service(SNS) Security Advisory <email@example.com> Computer Security Laboratory, LAC http://www.lac.co.jp/security/