Trend Micro releases Patch for "OfficeScan Unauthenticated CGI U sage" vulnerability

[Richard_Sheng () TRENDMICRO COM (Richard Sheng)]

Patch Available for "OfficeScan Unauthenticated CGI Usage" Vulnerability

Security Focus BugTraq ID: 1057

Posted: March 22, 2000

Summary
=======
Trend Micro has released a patch that eliminates server security
vulnerabilities found on OfficeScan Corporate Edition 3.51 or earlier
versions, running on Windows NT 4 server with Internet Information Server
(IIS). These versions of OfficeScan allow intruders within a firewall to
invoke OfficeScan CGIs on the server without authentication - bypassing
OfficeScan management console password protection. These OfficeScan CGIs are
intended for administrator to manage OfficeScan antivirus running on
networked workstations via the OfficeScan management console. By gaining
access to execute these CGIs, hackers can use them to change OfficeScan
antivirus configurations or to uninstall OfficeScan antivirus on the
desktops.

Issues
======
Trend OfficeScan version 3.51 or earlier versions apply inadequate security
settings on the OfficeScan server CGI components. If a malicious user, has
the ability to connect to the OfficeScan server via a web browser, these
CGIs can be executed to send valid commands - including uninstall command -
to OfficeScan clients. In addition, OfficeScan's implementation of user
authentication in its management console - password protection - was
insufficiently encrypted, and allows a malicious user to decrypt and gain
access to the OfficeScan management console.

Implementation
==============
Trend Micro has released a patch that will secure access to the OfficeScan
CGIs on the server. The patch program changes the file permissions on the
OfficeScan CGIs, so only administrators can access and execute them. This
patch works only on drives formatted to use Windows NT file system (NTFS).
After applying this patch, hackers will no longer be able to remotely invoke
OfficeScan CGIs without being authenticated as a administrator by NTFS
security.

This patch also prevents hackers, who sniffs for OfficeScan management
console password over the network, from gaining access to the OfficeScan
management console. Access to the OfficeScan management console or to
execute OfficeScan CGIs now requires NTFS authentication.

Affected Software Versions
==========================
Trend OfficeScan Corporate Edition 3.0
Trend OfficeScan Corporate Edition 3.11
Trend OfficeScan Corporate Edition 3.13
Trend OfficeScan Corporate Edition 3.50
Trend OfficeScan Corporate Edition 3.51
Trend OfficeScan for Microsoft SBS 4.5

This vulnerability is only present when the above software version is
installed on a Windows NT server with IIS. It is not present when the above
software version is installed on Novell NetWare servers or Windows NT server
without IIS.

Patch Availability
==================
OfficeScan Unauthenticated CGI Usage patch can be downloaded from:

        http://www.antivirus.com/download/ofce_patch.htm

More Information
================
Please see the following references for more information related to this
issue.
 - Trend Micro Security Bulletin:
        http://www.antivirus.com/download/ofce_patch_351.htm

 - Frequently Asked Questions: Trend Micro Knowledge Base
   http://solutionbank.antivirus.com/solutions/faqResult.asp?product=8

Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Trend Micro
Technical Support is available at http://www.trend.com/support/default.htm

Acknowledgements
================
Trend Micro thanks Gregory Duchemin http://www.securite-internet.com and
Elias Levy http://www.securityfocus.com  for reporting the OfficeScan server
vulnerability to us, and working with us to protect our customers.

===========================
Richard Sheng
Product Manager
Trend Micro, Inc.
email: richard_sheng () trendmicro com
tel: 408-257-1500
==============================