Vulnerabilities > CVE-2008-2433 - Use of Insufficiently Random Values vulnerability in Trendmicro products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
The web management console in Trend Micro OfficeScan 7.0 through 8.0, Worry-Free Business Security 5.0, and Client/Server/Messaging Suite 3.5 and 3.6 creates a random session token based only on the login time, which makes it easier for remote attackers to hijack sessions via brute-force attacks. NOTE: this can be leveraged for code execution through an unspecified "manipulation of the configuration."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 6 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Brute Force In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset. Examples of secrets can include, but are not limited to, passwords, encryption keys, database lookup keys, and initial values to one-way functions. The key factor in this attack is the attackers' ability to explore the possible secret space rapidly. This, in turn, is a function of the size of the secret space and the computational power the attacker is able to bring to bear on the problem. If the attacker has modest resources and the secret space is large, the challenge facing the attacker is intractable. While the defender cannot control the resources available to an attacker, they can control the size of the secret space. Creating a large secret space involves selecting one's secret from as large a field of equally likely alternative secrets as possible and ensuring that an attacker is unable to reduce the size of this field using available clues or cryptanalysis. Doing this is more difficult than it sounds since elimination of patterns (which, in turn, would provide an attacker clues that would help them reduce the space of potential secrets) is difficult to do using deterministic machines, such as computers. Assuming a finite secret space, a brute force attack will eventually succeed. The defender must rely on making sure that the time and resources necessary to do so will exceed the value of the information. For example, a secret space that will likely take hundreds of years to explore is likely safe from raw-brute force attacks.
- Signature Spoofing by Key Recreation An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
- Session Credential Falsification through Prediction This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Nessus
| NASL family | Windows |
| NASL id | TRENDMICRO_MULTIPLE_PRODUCTS_SECURITY_BYPASS_VULN.NASL |
| description | The remote host is either running Trend Micro OfficeScan or Worry-Free Business Security. The installed version is affected by a security bypass vulnerability because it reportedly implements a weak algorithm to generate random session tokens typically assigned to a successful authentication request. An attacker can easily brute-force the authentication token and gain access to the web console. In some cases it may be possible to execute arbitrary code on the remote system. |
| last seen | 2020-06-01 |
| modified | 2020-06-02 |
| plugin id | 34050 |
| published | 2008-08-27 |
| reporter | This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. |
| source | https://www.tenable.com/plugins/nessus/34050 |
| title | Trend Micro Multiple Products Token Prediction Security Bypass |
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 30792 CVE(CAN) ID: CVE-2008-2433 OfficeScan是一种针对整个网段的分布式杀毒软件。 OfficeScan的web管理控制台使用了不充分的熵用于创建识别已认证管理员的随机会话令牌。当真正的管理员登录时,会话令牌的熵仅来自于系统时间,细粒度为1秒。攻击者可以相对容易的暴力猜测到认证令牌,扮演成当前登录的管理员,然后通过操控配置完全控制系统。 Trend Micro OfficeScan 8.0 Trend Micro OfficeScan 7.3 Trend Micro OfficeScan 7.0 Trend Micro Worry-Free Business Security 5.0 Trend Micro ----------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://www.trendmicro.com/ftp/products/patches/OSCE_8.0_Win_EN_CriticalPatch_B1351.exe target=_blank>http://www.trendmicro.com/ftp/products/patches/OSCE_8.0_Win_EN_CriticalPatch_B1351.exe</a> <a href=http://www.trendmicro.com/ftp/products/patches/WFBS_50_WIN_EN_CriticalPatch_B1404.exe target=_blank>http://www.trendmicro.com/ftp/products/patches/WFBS_50_WIN_EN_CriticalPatch_B1404.exe</a> |
| id | SSV:3912 |
| last seen | 2017-11-19 |
| modified | 2008-08-26 |
| published | 2008-08-26 |
| reporter | Root |
| title | 趋势科技OfficeScan Web管理绕过认证漏洞 |
References
- http://secunia.com/secunia_research/2008-31/advisory/
- http://www.trendmicro.com/ftp/documentation/readme/OSCE_8.0_SP1_Win_EN_CriticalPatch_B2402_readme.txt
- http://www.trendmicro.com/ftp/documentation/readme/Readme_WFBS5%200_EN_CriticalPatch1404.txt
- http://www.securityfocus.com/bid/30792
- http://secunia.com/advisories/31373
- http://www.securitytracker.com/id?1020732
- http://securityreason.com/securityalert/4191
- http://www.vupen.com/english/advisories/2008/2421
- https://exchange.xforce.ibmcloud.com/vulnerabilities/44597
- http://www.securityfocus.com/archive/1/495670/100/0/threaded