Published:2019/03/01 Last Updated:2019/03/01
JVNVU#95147316
Multiple vulnerabilities in Trend Micro ScanMail for Exchange
Overview
Trend Micro ScanMail for Exchange provided by Trend Micro Incorporated contains multiple vulnerabilities.
Products Affected
- ScanMail for Exchange Version 12.0
Description
ScanMail for Exchange provided by Trend Micro Incorporated contains multiple vulnerabilities listed below.
- Communication to the update servers is not encrypted
- Software updates downloaded from "Other Update Source" are not properly verified
- Cross-site request forgery
- Cross-site scripting
Impact
- A remote attacker may obtain the traffic content between ActiveUpdate server. - CVE-2017-14090
- A remote attacker may overwrite files of the product, with
SYSTEMprivilege. - CVE-2017-14091 - If a user views a malicious page while logged on, unintended operations may be performed. - CVE-2017-14092
- An arbitrary script may be executed on a logged on user's web browser. - CVE-2017-14093
Solution
Apply a patch
Apply the patch according to the information provided by the developer.
The developer has released the following patch to address the vulnerability:
- ScanMail for Exchange SMEX 12.0 SP1 Patch 1 CP1755
Vendor Status
| Vendor | Link |
| Trend Micro Incorporated | SECURITY BULLETIN: Trend Micro ScanMail for Exchange 12.0 Multiple Vulnerabilities |
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
Trend Micro Incorporated and JPCERT/CC coordinated.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2017-14090 |
|
CVE-2017-14091 |
|
|
CVE-2017-14092 |
|
|
CVE-2017-14093 |
|
| JVN iPedia |
|