CVE-2008-2433 — Use of Insufficiently Random Values in Officescan

CWE-330 — Use of Insufficiently Random Values CWE-287 — Improper Authentication3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

12.3%

top 6.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Trendmicro Officescan Trendmicro Client Server Messaging Suite Trendmicro Worry-free Business Security

Timeline

PublishedAug 27

Latest updateMay 1

Description

The web management console in Trend Micro OfficeScan 7.0 through 8.0, Worry-Free Business Security 5.0, and Client/Server/Messaging Suite 3.5 and 3.6 creates a random session token based only on the login time, which makes it easier for remote attackers to hijack sessions via brute-force attacks. NOTE: this can be leveraged for code execution through an unspecified "manipulation of the configuration."

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDtrendmicro/worry-free_business_security5.0

▶NVDtrendmicro/officescan7.0 — 8.0

▶NVDtrendmicro/client3.5, 3.6+1

Patches

Patch: secunia.com ↗Patch: secunia.com ↗

🔴Vulnerability Details

GHSA

GHSA-4rj2-hhfh-p3j7: The web management console in Trend Micro OfficeScan 7↗2022-05-01

▶

CVEList

CVE-2008-2433: The web management console in Trend Micro OfficeScan 7↗2008-08-27

▶