Trend Micro Clears Mobile Security Holes

Monday, September 18, 2017 @ 04:09 PM gHale

Trend Micro released a patch for its Mobile Security for Enterprise fixing remote code execution issues.

The goal behind Trend Micro’s Mobile Security for Enterprise is to give organizations visibility and control over mobile devices, applications and data.

Bluetooth Devices Susceptible to Attack
ICSJWG: Change in Security Approach Needed
Power Grid Compromise
Fighting FUD from DC

Roberto Suggi Liverani and Steven Seeley of Offensive Security discovered the product suffers from an unrestricted file upload, authentication bypass, SQL injection and proxy command injection vulnerabilities.

They sent the vulnerabilities to Trend Micro via the security firm’s Zero Day Initiative (ZDI).

While there are only four types of vulnerabilities, ZDI published over 70 different advisories as each flaw affects more than one function.

The most severe issue is a SQL injection (CVE-2017-14078) that allows authenticated and unauthenticated attackers to execute arbitrary code with SYSTEM privileges.

In addition, an authentication bypass vulnerability affecting Mobile Security for Enterprise ended up classified as high severity.

An authenticated attacker can also execute arbitrary code by exploiting a medium severity flaw related to the modTMCSS Proxy functionality (CVE-2017-14081). Finally, an authenticated attacker can upload arbitrary files and execute code by abusing various file upload features that fail to properly validate user-supplied data (CVE-2017-14079).

The researchers sent the vulnerabilities to the vendor in mid-May and patches were ready to go last week with the release of versions 9.7 Patch 3.

Trend Micro said exploiting these vulnerabilities typically requires physical or remote access to a vulnerable system.

Leave a Reply

You must be logged in to post a comment.