COMMAND
Virus Buster
SYSTEMS AFFECTED
Trend Micro Virus Buster Ver.3.5x
PROBLEM
Following is based on a SNS Advisory No.38. Trend Micro Virus
Buster (a.k.a Officescan Corporate Edition) contains a
vulnerability which allows attacker to read arbitrary files with
IUSER privilege.
Trend Micro Virus Buster is antivirus software for the enterprise
use. It provides central virus reporting, automatic virus pattern
updates, and Web-based remote management console. A vulnerability
lies in cgiWebupdate.exe, which is one of the CGI programs which
used for remote management. This problem can allow remote users
to read arbitrary files with IUSER privilege. "Virus Buster
Corporate Edition" is provided only as Japanese version which is
a.k.a "Officescan Corporate Edition" as English version.
Tested Version:
- Trend Micro Virus Buster Corporate Edition Version 3.52
- Trend Micro Virus Buster Corporate Edition Version 3.53
- Trend Micro Virus Buster Corporate Edition Version 3.54
Discovered by Nobuo Miwa.
SOLUTION
The patch is available from the following site:
http://www.trendmicro.co.jp/esolution/solutionDetail.asp?solutionId=3086
Credits
-- UnKnown --
|