JVNVU#99357827
Smart Protection Server vulnerable to OS command injection
Overview
Smart Protection Server contains an OS command injection vulnerability.
Products Affected
- Smart Protection Server 3.1
- Smart Protection Server 3.2 build 1074
- Smart Protection Server 3.2 build 1078
Description
Smart Protection Server provided by Trend Micro Incorporated contains an OS command injection vulnerability (CWE-78).
The vendor's security bulletin says: "In particular, cm_agent.php did not sanitize input parameters before executing a system command."
Impact
An arbitrary OS command may be executed by a user who can log on to the Product Console.
Solution
Use the latest installer
When installing the product for the first time, be sure to use the latest installer according to the information provided by the developer.
Apply a Workaround
According to the developer, when using Smart Protection Server 3.1, Smart Protection Server 3.2 build 1074, Smart Protection Server 3.2 build 1078, the administrator can manually remove the vulnerable script.
- Log on to Smart Protection Server with root account, and execute the following command to remove the script file "cm_agent.php".
rm -f /var/www/AdminUI/php/cm_agent.php
For more information, refer to the information provided by the developer.
Vendor Status
| Vendor | Link |
| Trend Micro Incorporated | SECURITY BULLETIN: Trend Micro Smart Protection Server (Standalone) 3.x OS Command Injection Vulnerability |
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
Trend Micro Incorporated and JPCERT/CC coordinated.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2017-11395 |
| JVN iPedia |
|