CVE-2020-8606
published 2020-05-27CVE-2020-8606: A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to bypass authentication on affected installations of…
PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
72.74%
99.4th percentile
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to bypass authentication on affected installations of Trend Micro InterScan Web Security Virtual Appliance.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trend_micro | trend_micro_interscan_web_security_virtual_appliance | — | — |
| trendmicro | interscan_web_security_virtual_appliance | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated requests to the proxy service on port 8080 that attempt to reach internal services — this is the SSRF/auth-bypass vector (CVE-2020-8606). ↗
- →Alert on requests targeting the LogSettingHandler class with a mount_device parameter containing shell metacharacters or command injection payloads. ↗
- →Monitor Apache Solr requests (internal to the appliance) for path traversal patterns in the 'file' parameter, which can be used to disclose files as the IWSS user. ↗
- →Chain detection: look for sequences of unauthenticated port-8080 proxy abuse followed by Solr file-read requests and then LogSettingHandler command injection — this three-stage chain achieves unauthenticated RCE as root. ↗
- ·Only Trend Micro InterScan Web Security Virtual Appliance versions prior to 6.5 SP2 Patch 4 (Build 1901) are vulnerable; patch to that build or later to remediate. ↗
- ·The proxy service port (8080) is the default but may be reconfigured; verify the actual listening port in your deployment before writing port-based detection rules. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/158171/Trend-Micro-Web-Security-Virtual-Appliance-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/158423/Trend-Micro-Web-Security-Remote-Code-Execution.htmlhttps://success.trendmicro.com/solution/000253095https://www.zerodayinitiative.com/advisories/ZDI-20-677/http://packetstormsecurity.com/files/158171/Trend-Micro-Web-Security-Virtual-Appliance-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/158423/Trend-Micro-Web-Security-Remote-Code-Execution.htmlhttps://success.trendmicro.com/solution/000253095https://www.zerodayinitiative.com/advisories/ZDI-20-677/
2020-05-27
Published