====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN703
_____________________________________________________________________

DATE                : 22/12/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Trend Micro InterScan Web Security
                  Virtual Appliance versions prior to 6.5 SP2 CP b1919.

=====================================================================
https://success.trendmicro.com/solution/000283077
_____________________________________________________________________


SECURITY BULLETIN: December 2020 Security Bulletin for Trend Micro
InterScan Web Security Virtual Appliance (IWSVA) 6.5 SP2

        Updated: 17 Dec 2020
        Product/Version: Interscan Web Security Virtual Appliance 6.5
        Platform:

Summary


Release Date: December 15, 2020
CVE Identifier(s): CVE-2020-8461 through 8466, CVE-2020-27010
Platform(s): Virtual Appliance
CVSS 3.0 Score(s): 3.3 - 8.2
Severity Rating(s): Low - High


Trend Micro has made a Critical Patch (CP) available for Trend Micro
InterScan Web Security Virtual Appliance (IWSVA) 6.5 SP2. This CP
addresses multiple vulnerabilities related to CRSF protection bypass,
cross-site scripting (XSS), authorization/authentication bypass, command
execution and unauthenticated command injections.


Details

Affected Version(s)

Product	Affected Version(s)	Platform	Language(s)
IWSVA	6.5 SP2	Virtual Appliance	English


Solution

Trend Micro has created the following solution to address the issue:

Product	Updated version	Notes	Platform	Availability

IWSVA	6.5 SP2 CP b1919    Readme    Virtual Appliance    Available Now


Customers are encouraged to visit Trend Micro’s Download Center to
obtain prerequisite software (such as Service Packs) before applying any
of the solutions above.


Vulnerability Details

CVE-2020-8461:  CSRF Protection Bypass
CVSSv3: 7.1: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L/E:F/RL:O/RC:C
A CSRF protection bypass vulnerability in Trend Micro InterScan Web
Security Virtual Appliance 6.5 SP2 could allow an attacker to get a
victim's browser to send a specifically encoded request without
requiring a valid CSRF token.

CVE-2020-8462, CVE-2020-27010:  Cross-Site Scripting
CVSSv3: 3.3: AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L
Cross-site scripting (XSS) vulnerabilities in Trend Micro InterScan Web
Security Virtual Appliance 6.5 SP2 could allow an attacker to tamper
with the web interface of the product.

CVE-2020-8463:  Authorization Bypass
CVSSv3: 8.2: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:F/RL:O/RC:C
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance
6.5 SP2 could allow an attacker to bypass a global authorization check
for anonymous users by manipulating request paths.

CVE-2020-8464:  Authentication Bypass/SSRF
CVSSv3: 8.2: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:F/RL:O/RC:C
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance
6.5 SP2 could allow an attacker to send requests that appear to come
from the localhost which could expose the product's admin interface to
users who would not normally have access.

CVE-2020-8465:  Command Execution
CVSSv3: 8.2: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:F/RL:O/RC:C
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance
6.5 SP2 could allow an attacker to manipulate system updates using a
combination of CSRF bypass (CVE-2020-8461) and authentication bypass
(CVE-2020-8464) to execute code as user root.

CVE-2020-8466:  Unauthenticated Command Injection
CVSSv3: 8.2: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:F/RL:O/RC:C
A command injection vulnerability in Trend Micro InterScan Web Security
Virtual Appliance 6.5 SP2, with the improved password hashing method
enabled, could allow an unauthenticated attacker to execute certain
commands by providing a manipulated password.



Mitigating Factors

Exploiting these type of vulnerabilities generally require that an
attacker has access (physical or remote) to a vulnerable machine. In
addition to timely application of patches and updated solutions,
customers are also advised to review remote access to critical systems
and ensure policies and perimeter security is up-to-date.

As a matter of best practice to help protect against unauthorized access
to the product admin console, the following mitigations are also
recommended:

     Enable Management Access Control in IWSVA to set ACLs that restrict
access to the management console to a specific IP or IP range that are
trusted in your organization.

     Utilize other security tools in the environment (e.g. firewall) to
limit IP access to the IWSVA management console.



Acknowledgement

Trend Micro would like to thank the following individuals for
responsibly disclosing these issues and working with Trend Micro to help
protect our customers:

    W. Ettlinger of SEC Consult Vulnerability Lab  (CVE-2020-8461
through 8466)


    Srinivasan Rajagopalan (CVE-2020-27010)


External Reference(s)

    SEC-Consult Security Advisory



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================