CVE-2020-8466
published 2020-12-17CVE-2020-8466: A command injection vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2, with the improved password hashing method enabled, could…
PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
63.71%
99.1th percentile
A command injection vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2, with the improved password hashing method enabled, could allow an unauthenticated attacker to execute certain commands by providing a manipulated password.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trend_micro | trend_micro_interscan_web_security_virtual_appliance | — | — |
| trendmicro | interscan_web_security_virtual_appliance | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Trend Micro IWSVA Unauthenticated Command Injection Inbound (CVE-2020-8466)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"uid="; startswith; content:"passwd=|60|"; fast_pattern; reference:url,packetstormsecurity.com/files/160602/Trend-Micro-IWSVA-CSRF-XSS-Bypass-SSRF-Code-Execution.html; reference:cve,2020-8466; classtype:attempted-admin; sid:2032533; rev:1; metadata:attack_target Server, created_at 2021_04_08, cve CVE_2020_8466, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_04_08, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
bytes
passwd=|60|
- →Exploit traffic is an inbound HTTP POST request. The request body starts with 'uid=' and contains 'passwd=' followed by a backtick character (hex 0x60), indicating command injection via the password field.
- →The vulnerability is only exploitable when the 'improved password hashing method' feature is enabled on Trend Micro IWSVA 6.5 SP2.
- →Monitor for unauthenticated POST requests to the IWSVA login/authentication endpoint containing shell metacharacters (backtick, pipe, semicolon) in the passwd parameter.
- ·The command injection is only triggerable when the 'improved password hashing method' is enabled. Appliances using the default/legacy hashing method are NOT vulnerable to this specific attack path.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT Trend Micro IWSVA Unauthenticated Command Injection Inbound (CVE-2020-8466)
suricata·2021-04-08·CVSS 9.8
CVE-2020-8466 [CRITICAL] ET EXPLOIT Trend Micro IWSVA Unauthenticated Command Injection Inbound (CVE-2020-8466)
ET EXPLOIT Trend Micro IWSVA Unauthenticated Command Injection Inbound (CVE-2020-8466)
Rule: alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Trend Micro IWSVA Unauthenticated Command Injection Inbound (CVE-2020-8466)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"uid="; startswith; content:"passwd=|60|"; fast_pattern; reference:url,packetstormsecurity.com/files/160602/Trend-Micro-IWSVA-CSRF-XSS-Bypass-SSRF-Code-Execution.html; reference:cve,2020-8466; classtype:attempted-admin; sid:2032533; rev:1; metadata:attack_target Server, created_at 2021_04_08, cve CVE_2020_8466, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_04_08, mitre_
No public exploits indexed.
No writeups or analysis indexed.
https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-trend-micro-interscan-web-security-virtual-appliance/https://success.trendmicro.com/solution/000283077https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-trend-micro-interscan-web-security-virtual-appliance/https://success.trendmicro.com/solution/000283077
2020-12-17
Published