JVNVU#98351146
Multiple vulnerabilities in InterScan Web Security Virtual Appliance (IWSVA)

Overview

InterScan Web Security Virtual Appliance (IWSVA) provided by Trend Micro Incorporated contains multiple vulnerabilities.

Products Affected

• InterScan Web Security Virtual Appliance (IWSVA) version 6.5 SP2

Description

InterScan Web Security Virtual Appliance (IWSVA) provided by Trend Micro Incorporated contains multiple vulnerabilities listed below.

• Stack-based buffer overflow (CWE-121) - CVE-2020-28578

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L	Base Score: 7.3
  CVSS v2	AV:N/AC:L/Au:N/C:P/I:P/A:P	Base Score: 7.5

• Stack-based buffer overflow (CWE-121) - CVE-2020-28579

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L	Base Score: 6.3
  CVSS v2	AV:N/AC:M/Au:S/C:P/I:P/A:P	Base Score: 6.0

• OS command injection (CWE-78) - CVE-2020-28580

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L	Base Score: 4.7
  CVSS v2	AV:N/AC:H/Au:S/C:P/I:P/A:P	Base Score: 4.6

• OS command injection (CWE-78) - CVE-2020-28581

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L	Base Score: 4.7
  CVSS v2	AV:N/AC:H/Au:S/C:P/I:P/A:P	Base Score: 4.6

Impact

• An unauthenticated remote attacker may execute arbitrary code - CVE-2020-28578
• An authenticated remote attacker may execute arbitrary code - CVE-2020-28579
• An unauthenticated remote attacker may execute arbitrary OS commands with elevated privileges - CVE-2020-28580, CVE-2020-28581

Solution

Apply the patch
Apply the appropriate patch according to the information provided by the developer.

Apply workaround
Applying the following workaround may mitigate the impacts of these vulnerabilities.

• Restrict access to the TCP port on the management console to only trusted users (default port: 8443/TCP) .