Published:2020/09/23 Last Updated:2020/09/23
JVNVU#91216654
ServerProtect for Linux vulnerable to OS command injection
Overview
ServerProtect for Linux contains an OS command injection vulnerability.
Products Affected
- ServerProtect for Linux (SPLX) Version 3.0
Description
ServerProtect for Linux provided by Trend Micro Incorporated contains an OS command injection vulnerability (CWE-78).
Impact
A remote authenticated attacker may execute arbitrary code.
Solution
Apply the Patch
Apply the appropriate patch according to the information provided by the developer.
The developer has released the patches listed below that contain the countermeasure to the vulnerabilities.
- Version 3.0 CP1633
Apply the Workaround
Applying the following workarounds may mitigate the impacts of this vulnerability.
- Only accept the SPLX consol from trusted users and connection source
Vendor Status
| Vendor | Link |
| Trend Micro Incorporated | CRITICAL SECURITY BULLETIN: Trend Micro ServerProtect for Linux Command Injection Vulnerability |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Base Score:
9.1
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Credit
Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2020-24561 |
| JVN iPedia |
|