CVE-2017-14094
published 2018-01-19CVE-2017-14094: A vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.2 and below could allow an attacker to perform remote command execution via a…
PriorityP274critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
19.37%
97.0th percentile
A vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.2 and below could allow an attacker to perform remote command execution via a cron job injection on a vulnerable system.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trend_micro | trend_micro_smart_protection_server | — | — |
| trendmicro | smart_protection_server | <= 3.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated HTTP GET requests to /widget/repository/log/diagnostic.log, which leaks active session IDs from diagnostic logs and is the first stage of the exploit chain. ↗
- →Detect HTTP POST requests to /php/admin_update_program.php where the hidTimingMin parameter contains cron injection patterns such as '* * * * *' or shell metacharacters (e.g., '#', ';', '|'). ↗
- →Alert on creation or modification of /var/spool/cron/webserv, especially if the cron entry contains shell commands or reverse shell payloads injected via the hidTimingMin field. ↗
- →Detect the presence of 'MSG_UPDATE_UPDATE_SCHEDULE' in HTTP responses to POST /php/admin_update_program.php as a confirmation indicator that a malicious cron job was successfully injected. ↗
- →Monitor for outbound bash reverse shell connections (e.g., /dev/tcp/<attacker_ip>/<port>) spawned by the webserv user, which indicates successful cron job injection exploitation. ↗
- →Each log entry in diagnostic.log leaks the session ID in the 4th comma-delimited field; monitor for automated parsing of this file (rapid sequential GET requests) as a sign of session harvesting. ↗
- ·The exploit chain requires two steps: first, unauthenticated session ID harvesting from the exposed diagnostic log, then authenticated POST to the cron injection endpoint. Blocking unauthenticated access to /widget/repository/log/diagnostic.log breaks the chain for unauthenticated attackers. ↗
- ·Only Trend Micro Smart Protection Server 3.2 (Build 1085) was confirmed tested; other versions may also be affected but were not verified. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/102275https://success.trendmicro.com/solution/1118992https://www.coresecurity.com/advisories/trend-micro-smart-protection-server-multiple-vulnerabilitieshttps://www.exploit-db.com/exploits/43388/http://www.securityfocus.com/bid/102275https://success.trendmicro.com/solution/1118992https://www.coresecurity.com/advisories/trend-micro-smart-protection-server-multiple-vulnerabilitieshttps://www.exploit-db.com/exploits/43388/
2018-01-19
Published