Security researcher chained flaws to seize control of aged appliance

Trend Micro addresses remote takeover attack chain threat in InterScan Web Security Virtual Appliance

A security researcher has chained multiple vulnerabilities in Trend Micro’s InterScan Web Security Virtual Appliance (IWSVA) to seize control of the web gateway security product.

Sysadmins have been urged to update to the latest version, which includes mitigations against a low severity cross-site scripting (XSS) flaw and high-risk cross-site request forgery (CSRF) protection bypass.

Two further authentication bypass flaws, a command execution vulnerability, and unauthenticated command injection bugs were also fixed in the latest release.

Attack chains

Wolfgang Ettlinger, then of SEC Consult Vulnerability Lab (he has since left the company), unearthed the six vulnerabilities and fashioned three potent attack chains.

Attackers could abuse the CSRF and command execution vulnerabilities “to take over the appliance as root,” according to a security advisory issued by SEC Consult Vulnerability Lab today (December 17).

With access to the HTTP proxy port, they could also exploit the authentication bypass and command execution vulnerabilities “to take over the appliance as root without user/admin interaction” – as demonstrated by the video below:

Johannes Greil, head of SEC Consult Vulnerability Lab, told The Daily Swig that “an attacker with network access to the admin interface could exploit the command injection vulnerability in the login (depending on configuration) and execute arbitrary OS commands on the appliance as user ‘iscan’ and potentially elevate privileges.”

The vulnerabilities “are relatively easy to exploit, either individually or chained together”, he added. “Our exploit scripts only have very few lines of Python code for instance, but manual exploitation is straightforward as well.”

However, doing so is contingent on having access to a vulnerable machine, whether physically or remotely.

Limited impact

The on-premises IWSVA product is more than a decade old.

“Globally it’s difficult to put a figure on the number of customers using IWSVA primarily due to the effects of the Covid-19 pandemic,” Bharat Mistry, Trend Micro’s technical director for UK and Ireland, told The Daily Swig.

However, user numbers are dwindling – now below 100 in the UK – because the “value and operational simplicity” offered by as-a-service models has precipitated “a huge transition” from IWSVA to its cloud-based successor, Trend Micro Web Security (TMWS).

‘Multiple iterations’

SEC Consult notified Trend Micro of its findings in August 2019. The vendor contact timeline – documented in the advisory – is the longest Trend Micro has ever logged, said Greil.

“It took them over a year to fix the issues” because of “difficulties in reproducing the security vulnerabilities” and “multiple iterations of verifying the patch,” said Greil, who concluded the disclosure process after Ettlinger’s departure from the company.

Read more of the latest hacking news

However, he added: “Trend Micro PSIRT handled this case very professionally throughout the whole process in contrast to other larger companies we have encountered in the past.”

Mistry said IWSVA’s old age complicated remediation, which involved “some detailed ‘under the hood’ changes that meant engineering teams had to revisit the product at an architectural level”.

Patch now

Trend Micro issued a security bulletin on December 15 confirming that the flaws were present in version 6.5 SP2 and directing users to update to 6.5 SP2 CP b1919.

SEC Consult Vulnerability Lab also advises customers to “adhere to security best practices such as network segmentation, limiting access to the admin panel or admins not being logged on while surfing the web for CSRF mitigation”.

It also recommends “a thorough security review of this and similar Trend Micro products” since “it is possible that further critical issues exist in those products.”

YOU MIGHT ALSO LIKE F5 warns over ‘critical’ XSS flaw in BIG-IP