CVE-2017-11392
published 2017-08-03CVE-2017-11392: Proxy command injection vulnerability in Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 allows remote attackers to execute arbitrary code on…
PriorityP275high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
33.76%
98.2th percentile
Proxy command injection vulnerability in Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 allows remote attackers to execute arbitrary code on vulnerable installations. The specific flaw can be exploited by parsing the "T" parameter within modTMCSS Proxy. Formerly ZDI-CAN-4745.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trend_micro | trend_micro_interscan_messaging_security_virtual_appliance | — | — |
| trendmicro | interscan_messaging_security_virtual_appliance | — | — |
| trendmicro | interscan_messaging_security_virtual_appliance | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to the modTMCSS Proxy endpoint for suspicious or shell-metacharacter-containing values in the 'T' parameter, which is the injection point for command execution. ↗
- →Alert on unauthenticated access to diagnostic.log on the IMSVA management interface (TCP/443), as attackers use it to harvest a valid JSESSIONID for session hijacking prior to exploitation. ↗
- →Detect exploitation chain: unauthenticated requests to Proxy.php under the modTMCSS folder on port 443 that contain command-injection payloads, executed under the web server user context. ↗
- ·The vulnerability requires chaining an authentication bypass (JSESSIONID theft via exposed diagnostic.log) with the command injection in Proxy.php; both conditions must be present for full unauthenticated RCE. ↗
- ·Affected versions are Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 only; verify version before applying detections. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2017-08-03
Published