[Japanese]

JVNDB-2016-000074

Trend Micro enterprise products directory traversal vulnerability

Overview

Multiple enterprise products provided by Trend Micro Incorporated contain a directory traversal vulnerability.

According to the developer, exploiting the vulnerability requires access to the LAN environment of the user.

Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Trend Micro Incorporated coordinated under the Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 3.3 (Low) [IPA Score]
  • Access Vector: Adjacent Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products


Trend Micro, Inc.
  • OfficeScan 11.0
  • Worry-Free Business Security 9.0
  • Worry-Free Business Security Services 5.x

Impact

An attacker that can access the user's LAN environment may obtain access to files on the device.
Solution

If using OfficeScan 11.0:
[Apply the Update Module]
Contact the developer's suuport center and inquire about the Update Module (HotFix).
According to the developer, applying the Critical Patch planned for release at the end of June 2016 will also address the vulnerability.

If using Worry-Free Business Security 9.0:
[Update the software]
According to the developer, applying Service Pack 3 planned for release at the end of June 2016 will address the vulnerabilities.

If using Worry-Free Business Security Services 5.x:
[Update the Software]
Update the software according to the information provided by the developer.
Vendor Information

Trend Micro, Inc.
CWE (What is CWE?)

  1. Path Traversal(CWE-22) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2016-1223
References

  1. JVN : JVN#48847535
  2. National Vulnerability Database (NVD) : CVE-2016-1223
Revision History

  • [2016/06/02]
      Web page was published
    [2016/06/22]
      References : Content was added