cbcvebase.
CVE-2020-28581
published 2020-11-18

CVE-2020-28581: A command injection vulnerability in ModifyVLANItem of Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an authenticated, remote…

PriorityP259high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
44.55%
98.6th percentile
A command injection vulnerability in ModifyVLANItem of Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an authenticated, remote attacker to send specially crafted HTTP messages and execute arbitrary OS commands with elevated privileges.

Affected

2 ranges
VendorProductVersion rangeFixed in
trend_microtrend_micro_interscan_web_security_virtual_appliance
trendmicrointerscan_web_security_virtual_appliance

Detection & IOCsextracted from sources · hover to see the quote

url/rest/windows_client_status
port8443
url/urlf_reclassifyurl.jsp
url/servlet/com.trend.iwss.gui.servlet.ManageVLANSettings
url/uilogonsubmit.jsp
path/usr/iwss/AdminUI/ui_ctl.sh
  • For CVE-2020-28578 (unauthenticated stack buffer overflow), monitor POST requests to /rest/windows_client_status on port 8443 with an abnormally large 'password' parameter value.
  • For CVE-2020-28579 (authenticated stack buffer overflow), monitor POST requests to /urlf_reclassifyurl.jsp on port 8443 with an abnormally large 'sender_addr' parameter value.
  • For CVE-2020-28580/CVE-2020-28581 (command injection in AddVLANItem/ModifyVLANItem), monitor POST requests to /servlet/com.trend.iwss.gui.servlet.ManageVLANSettings on port 8443 for shell metacharacters in VLAN-related parameters, which are passed unsanitized to system() via ui_ctl.sh.
  • Exploitation results in command execution as the 'iscan' account; monitor for unexpected processes spawned by the iscan user on IWSVA appliances.
  • The command injection payload is formatted as '%s addVLANItem %s' and passed to system_with_fd_closed(); look for shell injection characters (;, |, $(), etc.) in VLAN item parameters sent to the ManageVLANSettings servlet.
  • ·CVE-2020-28580 and CVE-2020-28581 (AddVLANItem and ModifyVLANItem command injection) require an authenticated session with a high-privileged (admin) account; low-privilege accounts are insufficient for these endpoints.
  • ·CVE-2020-28579 (MailNotification stack overflow) can be exploited with a low-privileged, reports-only user account.
  • ·CVE-2020-28578 (DecryptPasswd stack overflow) requires no authentication at all; the vulnerable endpoint /rest/windows_client_status is accessible without credentials.
  • ·All vulnerabilities affect Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 Service Pack 2, build 1901 specifically.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.