Advisories

Trend Micro Threat Intelligence Manager Arbitrary Local File Disclosure

Product Trend Micro Threat Intelligence Manager
Severity High
CVE Reference N/A
Type Arbitrary Local File Disclosure

A vulnerability was found in the Trend Micro Threat Intelligence Manager which allowed an unauthenticated user to read arbitrary files on the host system. As the web server was running with NT AUTHORITY/SYSTEM permissions, it was possible for any user to read any files regardless of their authorisation.

Description

It was discovered that the page parameter in the appframe.php file allowed for unauthenticated directory traversal and reading of arbitrary files on the system. Due to the web server running as NT AUTHORITY/SYSTEM, it was possible to read any file.

Impact

This could be used by an attacker to retrieve sensitive information, such as configuration information containing authentication details, encryption keys and other sensitive information held on the host.

Solution

It is recommended that access to the management interface of Trend Micro’s Threat Intelligence Manager is heavily restricted as no patch is/will be available.

Trend Micro’s official response to this vulnerability can be found as follows:

“Thank you for your patience and continuously working with the Trend Micro Vulnerability Response team.

The Trend Micro Threat Intelligence Manager (TIM) has reached its end-of-life, and unfortunately addressing the vulnerabilities you submitted would require substantial efforts to re-architect or build an entirely new product. We strongly recommend ourTIM customers to contact sales for further options on a suitable replacement if this is a concern for them.”

Technical Details

Refer to attached detailed advisory above.

Detailed Timeline

Date Summary
24/7/2015 Vulnerability documented
30/7/2015 Trend Micro contacted via security@trendmicro.com
31/7/2015 5 advisories sent to Trend Micro with provided PGP key
10/9/2015 MWR disclosure timeline requested due to internal discussions at Trend Micro RE: remediation
20/10/2015 MWR request update from Trend Micro
12/11/2015 Trend Micro issue statement and request coordinated disclosure on 17th November 2015
15/01/2016 MWR publish advisories