CVE-2020-8604
published 2020-05-27CVE-2020-8604: A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to disclose sensitive informatoin on affected…
PriorityP273high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
89.66%
99.8th percentile
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to disclose sensitive informatoin on affected installations.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trend_micro | trend_micro_interscan_web_security_virtual_appliance | — | — |
| trendmicro | interscan_web_security_virtual_appliance | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated requests to the proxy service on port 8080 that attempt to reach internal services — this is the SSRF pivot used in the exploit chain. ↗
- →Detect requests targeting the Apache Solr application bundled within the product, particularly those supplying a user-controlled 'file' parameter — indicative of path traversal / information disclosure (CVE-2020-8604). ↗
- →Alert on requests to the LogSettingHandler endpoint containing the 'mount_device' parameter with shell metacharacters — this is the RCE injection point requiring authentication. ↗
- →The full exploit chain results in unauthenticated RCE as root; look for unexpected root-level process spawns originating from the IWSS web service process. ↗
- ·The RCE via LogSettingHandler (mount_device injection) requires authentication on its own; it is only unauthenticated when chained with the SSRF via port 8080 and the Solr path traversal. ↗
- ·Only Trend Micro InterScan Web Security Virtual Appliance versions prior to 6.5 SP2 Patch 4 (Build 1901) are affected. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/158171/Trend-Micro-Web-Security-Virtual-Appliance-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/158423/Trend-Micro-Web-Security-Remote-Code-Execution.htmlhttps://success.trendmicro.com/solution/000253095https://www.zerodayinitiative.com/advisories/ZDI-20-678/http://packetstormsecurity.com/files/158171/Trend-Micro-Web-Security-Virtual-Appliance-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/158423/Trend-Micro-Web-Security-Remote-Code-Execution.htmlhttps://success.trendmicro.com/solution/000253095https://www.zerodayinitiative.com/advisories/ZDI-20-678/
2020-05-27
Published