Trend Micro Threat Intelligence Manager Arbitrary Local File Disclosure

A vulnerability was found in the Trend Micro Threat Intelligence Manager which allowed an unauthenticated user to read arbitrary files on the host system. As the web server was running with NT AUTHORITY/SYSTEM permissions, it was possible for any user to read any files regardless of their authorisation.

It was discovered that the page parameter in the appframe.php file allowed for unauthenticated directory traversal and reading of arbitrary files on the system. Due to the web server running as NT AUTHORITY/SYSTEM, it was possible to read any file.

This could be used by an attacker to retrieve sensitive information, such as configuration information containing authentication details, encryption keys and other sensitive information held on the host.

It is recommended that access to the management interface of Trend Micro’s Threat Intelligence Manager is heavily restricted as no patch is/will be available.

Trend Micro’s official response to this vulnerability can be found as follows:

“Thank you for your patience and continuously working with the Trend Micro Vulnerability Response team.

The Trend Micro Threat Intelligence Manager (TIM) has reached its end-of-life, and unfortunately addressing the vulnerabilities you submitted would require substantial efforts to re-architect or build an entirely new product. We strongly recommend ourTIM customers to contact sales for further options on a suitable replacement if this is a concern for them.”

Refer to attached detailed advisory above.