Trend Micro has fixed a bucket-load of susceptibilities in its Email Encryption Gateway, some of which can be joined to function source commands from the perception of an isolated not validated cyberpunk.
The Trend Micro Encryption for Email Gateway (TMEEG) is a Linux-based software explanation/simulated usage that offers the capability to execute the encryption and decryption of email at the business gateway, irrespective of the email client and the system from which it created.
“The encryption and decryption of email on the TMEEG client is controlled by a Policy Manager that enables an administrator to configure policies based on various parameters, such as sender and recipient email addresses, keywords, or PCI compliance,” the company explains.
Leandro Barragan and Maximiliano Vidal (Core Security Consulting Services) revealed to the company in June 2017, the flaws have been exposed and secretly. Security researcher Vahagn Vardanyan has also been assumed credit for the detection. The vulnerabilities distress version 5.5 Build 1111 and below of the product.
The list twelve vulnerabilities contain with distinct CVE serials, and their seriousness ranges from low to perilous:
CVE-2018-6219: Insecure Update via HTTP (CVSS 7.5).
CVE-2018-6220: Arbitrary file write leading to command execution (CVSS 7.5).
CVE-2018-6221: Unvalidated Software Updates (CVSS 7.5).
CVE-2018-6222: Arbitrary logs locations leading to command execution (CVSS 7.2).
CVE-2018-6223: Missing authentication for appliance registration (CVSS 9.1).
CVE-2018-6225: XML external entity injection in a configuration script (CVSS 5.5).
CVE-2018-6226: Reflected cross-site scripting in two configuration scripts (CVSS 7.4).
CVE-2018-6227: Stored cross-site scripting in a policy script (CVSS 7.4).
CVE-2018-6228: SQL injection in a policy script (CVSS 4.9).
CVE-2018-6229: SQL injection in an edit policy script (CVSS 6.5)
CVE-2018-6224: Lack of cross-site request forgery protection (CVSS 6.8)
CVE-2018-6230: SQL injection in a search configuration script (CVSS 3.8).
Trend Micro has public a security update (version 5.5 Build 1129) to plug 10 of these flaws, but the previous two on the list are yet unfixed.
“Due to the difficulties of implementing and the negative impact on critical normal product function of the proposed resolutions, as well as the pending End-of-Life of the Email Encryption Gateway product [in the coming weeks], Trend Micro has decided that these will not be addressed in the current iteration of the product,” the company stated.
However, there are some justifying aspects that should avoid those vulnerabilities from being oppressed: CVE-2018-6224 has to be bound to with at least three other vulnerabilities which are now fixed to distant command performance, and both CVE-2018-6224 and CVS-2018-6230 can be oppressed only if the TMEEG web console is accessible using the Internet. Therefore, the company recommends admins to execute the suggestion update and to ensure that the web console is functioning only through the company intranet and only by users who require to be capable to acquire it.
Core Security has released a distinct security bulletin and has provided additional technical particulars about the flaws, in addition to Proof of Concept code for each.