Vulnerabilities > CVE-2017-11398 - DEPRECATED: Information Exposure Through Debug Log Files vulnerability in Trendmicro Smart Protection Server 3.0/3.1/3.2

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
trendmicro
CWE-534
nessus
exploit available
NVD
Published: 2018-01-19
Updated: 2019-10-09

Summary

A session hijacking via log disclosure vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.2 and below could allow an unauthenticated attacker to hijack active user sessions to perform authenticated requests on a vulnerable system.

Vulnerable Configurations

Part Description Count
Application
Trendmicro
3

Common Weakness Enumeration (CWE)

D2sec

nameTrend Micro Smart Protection Server Encryption Key Disclosure
urlhttp://www.d2sec.com/exploits/trend_micro_smart_protection_server_encryption_key_disclosure.html

Exploit-Db

descriptionTrend Micro Smart Protection Server - Session Hijacking / Log File Disclosure / Remote Command Execution / Cron Job Injection / Local File Inclusion / Stored...
fileexploits/multiple/remote/43388.md
idEDB-ID:43388
last seen2017-12-22
modified2017-12-19
platformmultiple
port
published2017-12-19
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/43388/
titleTrend Micro Smart Protection Server - Session Hijacking / Log File Disclosure / Remote Command Execution / Cron Job Injection / Local File Inclusion / Stored Cross-Site Scripting / Improper Access Control
typeremote

Nessus

NASL familyCGI abuses
NASL idTRENDMICRO_SMART_PROTECTION_SERVER_CVE-2017-11398.NASL
descriptionThe Trend Micro Smart Protection Server running on the remote host is affected by a session hijacking vulnerability due to the disclosure of session IDs in the diagnostic.log file that can be accessed via HTTP without authentication. An unauthenticated, remote attacker can grab the log file and hijack active user sessions to perform authenticated requests. Note that the product is reportedly affected by other vulnerabilities; however, this plugin has not tested for them.
last seen2020-06-01
modified2020-06-02
plugin id107224
published2018-03-08
reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/107224
titleTrend Micro Smart Protection Server Session Hijacking Via Log File Disclosure
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(107224);
  script_version("1.7");
  script_cvs_date("Date: 2019/04/30 14:30:16");

  script_cve_id("CVE-2017-11398");
  script_bugtraq_id(102275);

  script_name(english:"Trend Micro Smart Protection Server Session Hijacking Via Log File Disclosure");
  script_summary(english:"Attempts to fetch a log file");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is running a web application that is affected by a
session hijacking vulnerability.");
  script_set_attribute(attribute:"description", value:
"The Trend Micro Smart Protection Server running on the remote host is
affected by a session hijacking vulnerability due to the disclosure
of session IDs in the diagnostic.log file that can be accessed via
HTTP without authentication. An unauthenticated, remote attacker can
grab the log file and hijack active user sessions to perform
authenticated requests.  

Note that the product is reportedly affected by other
vulnerabilities; however, this plugin has not tested for them.");
  script_set_attribute(attribute:"see_also", value:"https://success.trendmicro.com/solution/1118992");
  # https://www.secureauth.com/labs/advisories/trend-micro-smart-protection-server-multiple-vulnerabilities
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4a9ef707");
  script_set_attribute(attribute:"solution", value:
"Apply updates in accordance with the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"d2_elliot_name", value:"Trend Micro Smart Protection Server Encryption Key Disclosure");
  script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/12/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/12/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/08");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:trend_micro:smart_protection_server");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("trendmicro_smart_protection_server_detect.nbin");
  script_require_keys("installed_sw/Trend Micro Smart Protection Server");
  script_require_ports("Services/www", 4343);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");

app = "Trend Micro Smart Protection Server";

# Exit if app is not detected on the target
get_install_count(app_name:app, exit_if_zero:TRUE);

# Exit if app is not detected on this port 
port = get_http_port(default:4343);
install = get_single_install(app_name:app, port:port);

file = 'diagnostic.log';
url = '/widget/repository/log/' + file;

res = http_send_recv3(
  method        : 'GET',
  item          : url,
  port          : port,
  exit_on_fail  : TRUE
);


if(res[0] =~ "^HTTP/[0-9]\.[0-9] 200" && 
  # Session ID in log line:
  # 2018-02-21 17:58:15,930,INFO,f3tt3d3hak6mtvjgjds3g27447,null,<br />
  res[2] =~"\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d+,[A-Z]+,.+?,"
  )
{
    security_report_v4(
      port       : port,
      severity   : SECURITY_WARNING,
      file       : file,
      request    : make_list(http_last_sent_request()),
      output     : res[2],
      rep_extra  : 'This file contains session IDs.',
      attach_type: 'text/html'
    );
}
else
{
  audit(AUDIT_WEB_APP_NOT_AFFECTED, app, build_url(qs:install['path'], port:port));
}

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/145518/CORE-2017-0008.txt
idPACKETSTORM:145518
last seen2017-12-22
published2017-12-22
reporterCore Security Technologies
sourcehttps://packetstormsecurity.com/files/145518/Trend-Micro-Smart-Protection-Server-3.2-XSS-Access-Control-Disclosure.html
titleTrend Micro Smart Protection Server 3.2 XSS / Access Control / Disclosure

References