JVNVU#95587881
Deep Discovery Email Inspector vulnerable to arbitrary code execution
Overview
Deep Discovery Email Inspector provided by Trend Micro Incorporated contains an arbitrary code execution vulnerability.
Products Affected
- Deep Discovery Email Inspector Version 2.5.1 prior to Critical Patch b1182
Description
Deep Discovery Email Inspector provided by Trend Micro Incorporated contains an arbitrary code execution vulnerability due to an issue in uploading files.
Impact
An unauthenticated remote attacker may upload an arbitrary file to the system where the product resides. As a result, arbitrary code may be executed with the root privilege.
Solution
Apply the Patch
Apply the appropriate patch according to the information provided by the developer.
The developer has released the patch listed below to fix this vulnerability.
- Deep Discovery Email Inspector 2.5.1 Critical Patch b1182
Vendor Status
| Vendor | Link |
| Trend Micro Incorporated | SECURITY BULLETIN: Trend Micro Deep Discovery Email Inspector (DDEI) 2.5.1 Arbitrary File Upload Remote Code Execution Vulnerability(ZDI-CAN-4427) |
References
JPCERT/CC Addendum
This advisory mentions the vulnerability that is published on the TippingPoint Zero Day Initiative advisory, ZDI-17-283.
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.