====================================================================

                             CERT-Renater

                  Note d'Information No. 2012/VULN384
____________________________________________________________________

DATE                : 27/09/2012

HARDWARE PLATFORM(S): /


OPERATING SYSTEM(S) : Systems running Trend Micro Control Manager
                        versions 3.0, 3.5, 5.0, 5.5, 6.0.

======================================================================
http://esupport.trendmicro.com/solution/en-us/1061043.aspx
______________________________________________________________________

Solution ID	Last Updated
1061043	Date : 2012/09/24 Time: 6:08 PM (PST)


Product/Version	              Platform
Control Manager -
3.0, 3.5, 5.0, 5.5, 6.0       windows - 2000 Advanced Server,
                               2000 Server, 2003 Enterprise,
                               2003 Server R2, 2003 Standard,
                               2008 Enterprise, 2008 Enterprise 64-bit,
                               2008 Server R2, 2008 Standard,
                               2008 Standard 64-bit


    Details

Problem Description

Trend Micro has been notified of a potential product vulnerability in
Control Manager.
First reported by CERT, the report says that the vulnerbaility enables
SQL injection attacks, allowing remote attackers to execute SQL
commands to upload and execute arbitrary code that may harm the target
system.


Solution

Trend Micro has confirmed that this is a product vulnerability and
impacts TMCM 6.0 and other versions.
Trend Micro filters user-supplied inputs to make sure all strings does
not contain any damage commands before execution.


Critical patches for this vulnerability are now available:

    TMCM 5.5 -
http://www.trendmicro.com/ftp/products/tmcm/tmcm_55_sp1_patch2_win_en_criticalpatch1823.exe
    TMCM 6.0 -
http://www.trendmicro.com/ftp/products/tmcm/tmcm_60_patch1_win_en_criticalpatch1449.exe

Contact: Jeremy Wu (RD-TW)
Source: Vulnerability Awareness : TT251952: [TMCM 6, VU#950795] Trend
Micro Control Manager does not properly filter user-supplied input.


======================================================================

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
=========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44          +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
+ 75013 Paris           | email: certsvp@renater.fr     +
=========================================================