Trend Micro informed customers this week that an update for its InterScan Web Security Virtual Appliance (IWSVA) patches several potentially serious vulnerabilities, including ones that can be exploited to remotely take control of the appliance.
The vulnerabilities were discovered by Wolfgang Ettlinger, a researcher at Austria-based cybersecurity consultancy SEC Consult, and they were reported to Trend Micro in the summer of 2019. However, the vendor only managed to completely patch all of the security holes in late November 2020, with the release of IWSVA 6.5 SP2 CP b1919.
While the validation and patching process took a fairly long time, SEC Consult told SecurityWeek that the Trend Micro PSIRT handled the issue very professionally, “in contrast to other larger companies we have encountered in the past.”
Trend Micro IWSVA is a web gateway that helps enterprises protect their systems against online threats, while also providing real-time visibility and control of employee internet usage.
Ettlinger identified a total of six types of vulnerabilities in the IWSVA product, including CSRF protection bypass, XSS, authorization and authentication bypass, command execution, and command injection issues, a majority of which have been classified as high severity.
SEC Consult told SecurityWeek that it has identified three attack scenarios that can exploit these vulnerabilities. In one of them, an attacker can gain root access to a targeted appliance remotely from the internet by chaining the CSRF and command execution vulnerabilities.
In another scenario, an attacker with access to the HTTP proxy port could exploit the authentication/authorization bypass vulnerabilities and the command execution flaw to take over the appliance as root, without user or admin interaction.
In the third attack scenario described by the company, an attacker with network access to the admin interface could exploit the command injection vulnerability — which affects the login process under certain configurations — to execute arbitrary OS commands on the appliance as a user named “iscan” and possibly elevate privileges.
While it’s unclear exactly how many organizations are using the affected Trend Micro product, SEC Consult told SecurityWeek that it has notified cybersecurity agencies in Germany and Austria, and learned that the product is used by major corporations and even government organizations.
SEC Consult has published an advisory containing technical information for each of the vulnerabilities, but the company says it’s not releasing the actual PoC exploits. A video demonstrating an attack has also been made available:
“We are aware of the vulnerabilities found in the IWSVA product and commend SEC Consult for responsibly disclosing them and working closely with us to resolve the issues,” Trend Micro told SecurityWeek in an emailed statement. “We have released a critical patch that resolves these vulnerabilities and the solution is available now. We recommend customers apply the patch and review our bulletin for some additional best practice configuration recommendations.”