JVNVU#90813748
Multiple vulnerabilities in Trend Micro Deep Security Manager and Vulnerability Protection

Overview

Trend Micro Deep Security Manager and Vulnerability Protection provided by Trend Micro Incorporated contains multiple vulnerabilities.

Products Affected

• Deep Security Manager 10.0, 11.0, 12.0
• Vulnerability Protection Version 2.0 SP2

Description

Trend Micro Deep Security Manager and Vulnerability Protection provided by Trend Micro Incorporated contains multiple vulnerabilities listed below.

• Improper validation of integrity check value (CWE-354) - CVE-2020-8602
  Arbitrary code may be executed remotely by abusing vulnerable integrity check of input files on a DSM/VPM console.

  CVSS v3

  CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

  Base Score: 7.2

• Improper authentication (CWE-287) - CVE-2020-15601
  DSM/VPM authentication may be bypassed if LDAP authentication is enabled.

  CVSS v3

  CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

  Base Score: 8.1

Impact

• A remote authenticated attacker may execute arbitrary code - CVE-2020-8602
• A remote attacker can bypass DSM/VPM authentication - CVE-2020-15601

Solution

Apply the Patch
Apply the appropriate patch according to the information provided by the developer.
The developer has released the patches listed below that contain the countermeasure to the vulnerabilities.

• Deep Security Manager 10.0 U27, 11.0 U22, 12.0 U11
• Vulnerability Protection Version 2.0 SP2 Patch7 CP5