JVNVU#91054129
Multiple vulnerabilities in Trend Micro OfficeScan

Overview

Trend Micro OfficeScan provided by Trend Micro Incorporated contains multiple vulnerabilities.

Products Affected

• OfficeScan XG (12.0)
• OfficeScan 11.0 SP1

Description

Trend Micro OfficeScan provided by Trend Micro Incorporated contains multiple vulnerabilities; command injection, information disclosure, buffer overflow, denial-of-service (DoS), etc.

Impact

• A remote attacker may execute an arbitrary command. - CVE-2017-11393, CVE-2017-11394
• A remote attacker may obtain specific files on the server. - CVE-2017-14083
• A remote attacker may execute an arbitrary code via man-in-the-middle attack. - CVE-2017-14084
• A remote attacker may view the PHP version and modules. - CVE-2017-14085
• A remote attacker may cause a denial-of-service (DoS) condition. - CVE-2017-14086
• A remote attacker may inject a malicious http header resulting in a link in the generated pages pointing to a malicious website. - CVE-2017-14087
• A remote attacker may execute an arbitrary code. - CVE-2017-14088
• A remote attacker may cause a memory corruption by sending a malicious http request. - CVE-2017-14089

Solution

Apply a patch
Apply the patches with the latest build number.
According to the developer, the following patch builds fix the issues, and any newer patches contain the fixes too.

- CVE-2017-11393 and CVE-2017-11394:

• OfficeScan XG (12.0) CP 1641
• OfficeScan 11.0 SP1 CP 6392

• OfficeScan XG (12.0) CP 1708
• OfficeScan 11.0 SP1 CP 6426