[SNS Advisory No.29] Trend Micro Virus Control System(VCS) Unauthenticated CGI Usage Vulnerability

2001-06-08T00:00:00
ID SECURITYVULNS:DOC:1705
Type securityvulns
Reporter Securityvulns
Modified 2001-06-08T00:00:00

Description

SNS Advisory No.29 Trend Micro Virus Control System(VCS) Unauthenticated CGI Usage Vulnerability

Problem first discovered: 25 May 2001 Published: 7 Jun 2001 Last Updated: 7 Jun 2001


Overview

The vulnerability was found in a CGI program included in TrendMicro Virus Control System(VCS). It may be possible for a remote user to access administrative program and data without authentication.

Problem

VCS is a software package designed to operate and manage anti virus product included in gateways, file servers, groupwares and clients.

In order to manage VCS, an administrator accesses with following URL.

http://VCSServer/tvcs/EnterPassword.html

Password for its administrator is required then normally. By calling a certain CGI program with unusual way, it is possible to change its configuration and view configuration files.

Details can not be disclosed now because it has not been fixed yet and it will not be fixed immediately.

Tested Version

Virus Control System(VCS) Ver.1.8 Japanese Virus Control System(VCS) Ver.1.8 English

Tested OS

Windows 2000 Server Japanese Windows 2000 Server English

Patch Information

No patches are available now. Trend Micro support team responded that this problem will be fixed end of this year.

Until the patch will be released, set up access control to refuse access to servers in which VCS is installed by non-administrative user.

Discovered by

    MIWA Nobuo (LAC / n-miwa@lac.co.jp)

Disclaimer

All information in this advisories are subject to change without any advanced notices neither mutual consensus, and each of them is released as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences caused by applying those information.

References

Archive of this advisory: http://www.lac.co.jp/security/english/snsadv_e/29_e.html

SNS Advisory: http://www.lac.co.jp/security/english/snsadv_e/

LAC: http://www.lac.co.jp/security/english/


Secure Net Service(SNS) Security Advisory <snsadv@lac.co.jp> Computer Security Laboratory, LAC http://www.lac.co.jp/security/