Bugtraq mailing list archives
Trend Micro releases Patch for "OfficeScan Unauthenticated CGI U sage" vulnerability
From: Richard_Sheng () TRENDMICRO COM (Richard Sheng)
Date: Wed, 22 Mar 2000 23:13:51 -0800
Patch Available for "OfficeScan Unauthenticated CGI Usage" Vulnerability Security Focus BugTraq ID: 1057 Posted: March 22, 2000 Summary ======= Trend Micro has released a patch that eliminates server security vulnerabilities found on OfficeScan Corporate Edition 3.51 or earlier versions, running on Windows NT 4 server with Internet Information Server (IIS). These versions of OfficeScan allow intruders within a firewall to invoke OfficeScan CGIs on the server without authentication - bypassing OfficeScan management console password protection. These OfficeScan CGIs are intended for administrator to manage OfficeScan antivirus running on networked workstations via the OfficeScan management console. By gaining access to execute these CGIs, hackers can use them to change OfficeScan antivirus configurations or to uninstall OfficeScan antivirus on the desktops. Issues ====== Trend OfficeScan version 3.51 or earlier versions apply inadequate security settings on the OfficeScan server CGI components. If a malicious user, has the ability to connect to the OfficeScan server via a web browser, these CGIs can be executed to send valid commands - including uninstall command - to OfficeScan clients. In addition, OfficeScan's implementation of user authentication in its management console - password protection - was insufficiently encrypted, and allows a malicious user to decrypt and gain access to the OfficeScan management console. Implementation ============== Trend Micro has released a patch that will secure access to the OfficeScan CGIs on the server. The patch program changes the file permissions on the OfficeScan CGIs, so only administrators can access and execute them. This patch works only on drives formatted to use Windows NT file system (NTFS). After applying this patch, hackers will no longer be able to remotely invoke OfficeScan CGIs without being authenticated as a administrator by NTFS security. This patch also prevents hackers, who sniffs for OfficeScan management console password over the network, from gaining access to the OfficeScan management console. Access to the OfficeScan management console or to execute OfficeScan CGIs now requires NTFS authentication. Affected Software Versions ========================== Trend OfficeScan Corporate Edition 3.0 Trend OfficeScan Corporate Edition 3.11 Trend OfficeScan Corporate Edition 3.13 Trend OfficeScan Corporate Edition 3.50 Trend OfficeScan Corporate Edition 3.51 Trend OfficeScan for Microsoft SBS 4.5 This vulnerability is only present when the above software version is installed on a Windows NT server with IIS. It is not present when the above software version is installed on Novell NetWare servers or Windows NT server without IIS. Patch Availability ================== OfficeScan Unauthenticated CGI Usage patch can be downloaded from: http://www.antivirus.com/download/ofce_patch.htm More Information ================ Please see the following references for more information related to this issue. - Trend Micro Security Bulletin: http://www.antivirus.com/download/ofce_patch_351.htm - Frequently Asked Questions: Trend Micro Knowledge Base http://solutionbank.antivirus.com/solutions/faqResult.asp?product=8 Obtaining Support on this Issue =============================== This is a fully supported patch. Information on contacting Trend Micro Technical Support is available at http://www.trend.com/support/default.htm Acknowledgements ================ Trend Micro thanks Gregory Duchemin http://www.securite-internet.com and Elias Levy http://www.securityfocus.com for reporting the OfficeScan server vulnerability to us, and working with us to protect our customers. =========================== Richard Sheng Product Manager Trend Micro, Inc. email: richard_sheng () trendmicro com tel: 408-257-1500 ==============================
Current thread:
- gpm-root egmont () FAZEKAS HU (Mar 22)
- Re: gpm-root ADAM Sulmicki (Mar 22)
- Trend Micro releases Patch for "OfficeScan Unauthenticated CGI U sage" vulnerability Richard Sheng (Mar 22)
- Re: gpm-root Koblinger Egmont (Mar 23)
- Local Denial-of-Service attack against Linux Jay Fenlason (Mar 23)
- Re: Local Denial-of-Service attack against Linux Michal Zalewski (Mar 24)
- Re: Local Denial-of-Service attack against Linux dapozza (Mar 24)
- Hide Drives does not work with OUTLOOK 98 - Summary of Answers (W InNT4) DeAvillez, Carlos (Mar 24)
- Windows 2000 Internet Server Security Configuration Tool Microsoft Security Response Center (Mar 24)
- Irix Objectserver remote exploit Marcy Abene (Mar 29)
- New ZZ v1.2 Simple Nomad (Mar 29)
- [RHSA-2000:008-01] ircii buffer overflow bugzilla () REDHAT COM (Mar 30)
- Microsoft Security Bulletin (MS00-019) Microsoft Product Security (Mar 30)
- Re: gpm-root ADAM Sulmicki (Mar 22)