CVE-2020-8605
published 2020-05-27CVE-2020-8605: A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to execute arbitrary code on affected installations…
PriorityP182high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
87.58%
99.7th percentile
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to execute arbitrary code on affected installations. Authentication is required to exploit this vulnerability.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trend_micro | trend_micro_interscan_web_security_virtual_appliance | — | — |
| trendmicro | interscan_web_security_virtual_appliance | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/solr/collection0/replication?command=filecontent&wt=filestream&generation=1&file=../../../../../../../↗
- →Monitor HTTP POST requests to /rest/commonlog/log_setting/mount_device containing shell metacharacters (e.g., $(), backticks) in the mount_device JSON parameter — this is the command-injection sink. ↗
- →Detect unauthenticated GET requests to the internal Apache Solr endpoint on port 8983 (e.g., /solr/collection0/replication?command=filecontent) arriving via the proxy on port 8080 — indicates SSRF/path-traversal chaining. ↗
- →Alert on path-traversal sequences (../ repeated 7 times) in the 'file' parameter of Solr replication requests, used to read catalina.out and harvest JSESSIONID values. ↗
- →Look for GET requests to /rest/commonlog/get_sessionID with a JSESSIONID cookie — the exploit validates stolen session tokens via this endpoint before proceeding to RCE. ↗
- →Detect payload delivery pattern: perl -e 'system(pack(...))' embedded inside a mount command in the mount_device POST body — hex-encoded Python meterpreter dropper. ↗
- →Flag inbound TLS connections to port 8443 (admin interface) followed shortly by connections to port 8080 (proxy) from the same source IP — characteristic of the multi-stage exploit chain. ↗
- →The exploit notes IOC_IN_LOGS side-effect; review catalina.out for anomalous JSESSIONID harvesting activity and unexpected mount commands. ↗
- ·The exploit targets the default SSL admin port 8443; if the appliance is configured on a non-default port the RPORT must be adjusted — detections keyed on port 8443 alone may miss such deployments. ↗
- ·The proxy SSRF step requires port 8080 to be reachable from the attacker; if the proxy port is firewalled or changed from default, the unauthenticated cookie-hijack stage will fail (exploit falls back to requiring valid credentials). ↗
- ·Cookie hijack succeeds only if an admin or user has an active session whose JSESSIONID appears in catalina.out; if no active sessions exist the exploit cannot proceed without valid credentials. ↗
- ·Affected versions are strictly prior to 6.5 SP2 Patch 4 Build 1901; patched appliances are not vulnerable. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Trend Micro Web Security Virtual Appliance 6.5 SP2 Patch 4 Build 1901 - Remote Code Execution (Metasploit)
exploitdb·2020-07-14
CVE-2020-8605 Trend Micro Web Security Virtual Appliance 6.5 SP2 Patch 4 Build 1901 - Remote Code Execution (Metasploit)
Trend Micro Web Security Virtual Appliance 6.5 SP2 Patch 4 Build 1901 - Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Trend Micro Web Security (Virtual Appliance) Remote Code Execution',
'Description' => %q{
This module exploits multiple vulnerabilities together in order to achive a remote code execution.
Unauthenticated users can execute a terminal command under the context of the root user.
The specific flaw exists within the LogSettingHandler class of administrator interface software.
When parsing the mount_device parameter, the process does not properly validate a user-supplied string
before using it to execute a system call. An
Metasploit
Trend Micro Web Security (Virtual Appliance) Remote Code Execution
metasploit
Trend Micro Web Security (Virtual Appliance) Remote Code Execution
Trend Micro Web Security (Virtual Appliance) Remote Code Execution
This module exploits multiple vulnerabilities together in order to achive a remote code execution. Unauthenticated users can execute a terminal command under the context of the root user. The specific flaw exists within the LogSettingHandler class of administrator interface software. When parsing the mount_device parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. But authentication is required to exploit this vulnerability. Another specific flaw exist within the proxy service, which listens on port 8080 by default. Unauthenticated users can exploit this vulnerability in order t
No writeups or analysis indexed.
http://packetstormsecurity.com/files/158171/Trend-Micro-Web-Security-Virtual-Appliance-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/158423/Trend-Micro-Web-Security-Remote-Code-Execution.htmlhttps://success.trendmicro.com/solution/000253095https://www.zerodayinitiative.com/advisories/ZDI-20-676/http://packetstormsecurity.com/files/158171/Trend-Micro-Web-Security-Virtual-Appliance-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/158423/Trend-Micro-Web-Security-Remote-Code-Execution.htmlhttps://success.trendmicro.com/solution/000253095https://www.zerodayinitiative.com/advisories/ZDI-20-676/
2020-05-27
Published