CVE-2017-6398
published 2017-03-14CVE-2017-6398: An issue was discovered in Trend Micro InterScan Messaging Security (Virtual Appliance) 9.1-1600. An authenticated user can execute a terminal command in the…
PriorityP274high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
55.00%
98.9th percentile
An issue was discovered in Trend Micro InterScan Messaging Security (Virtual Appliance) 9.1-1600. An authenticated user can execute a terminal command in the context of the web server user (which is root). Besides, the default installation of IMSVA comes with default administrator credentials. The saveCert.imss endpoint takes several user inputs and performs blacklisting. After that, it uses them as arguments to a predefined operating-system command without proper sanitization. However, because of an improper blacklisting rule, it's possible to inject arbitrary commands into it.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trendmicro | interscan_messaging_security_virtual_appliance | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests to the /saveCert.imss endpoint for command injection patterns, particularly shell metacharacters or chained commands in user-supplied parameters. ↗
- →Alert on authenticated sessions to the IMSVA web interface executing OS-level commands as root, especially originating from the web server process context. ↗
- →Detect use of default administrator credentials against the IMSVA management interface, as default credentials are present in a default installation. ↗
- ·The blacklisting approach used by saveCert.imss is bypassable; the improper blacklisting rule allows injection of arbitrary commands, meaning signature-based detection relying solely on known-bad strings may be insufficient. ↗
- ·Default administrator credentials ship with IMSVA, meaning exploitation does not require prior credential theft — detections should not assume attacker credentials are anomalous. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2017-03-14
Published