cbcvebase.
CVE-2021-36745
published 2021-09-29

CVE-2021-36745: A vulnerability in Trend Micro ServerProtect for Storage 6.0, ServerProtect for EMC Celerra 5.8, ServerProtect for Network Appliance Filers 5.8, and…

PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
9.02%
94.6th percentile
A vulnerability in Trend Micro ServerProtect for Storage 6.0, ServerProtect for EMC Celerra 5.8, ServerProtect for Network Appliance Filers 5.8, and ServerProtect for Microsoft Windows / Novell Netware 5.8 could allow a remote attacker to bypass authentication on affected installations.

Affected

6 ranges
VendorProductVersion rangeFixed in
trend_microtrend_micro_serverprotect_for_emc_celerra
trend_microtrend_micro_serverprotect_for_microsoft_windows_novell_netware
trend_microtrend_micro_serverprotect_for_network_appliance_filers
trend_microtrend_micro_serverprotect_for_storage
trendmicroserverprotect
trendmicroserverprotect

Detection & IOCsextracted from sources · hover to see the quote

port5005
processEarthAgent.exe
registryHKLM\SOFTWARE\WOW6432Node\Trend\ServerProtect\CurrentVersion\InformationServer\
bytes
21 43 65 87
  • Detect unauthenticated CMD_REGISTER (command 2) messages to TCP port 5005 on Trend Micro ServerProtect Information Server (EarthAgent.exe), especially where console type is 1 and the static credential string '!CRYPT!1087C8A854BBE88D3E554736F39' is present in the payload.
  • Detect command 73730 (0x12002) messages sent to TCP port 5005 of EarthAgent.exe; a large max_cnt value (e.g., 0x04924925) in the cmd_73730 struct indicates an integer overflow exploitation attempt.
  • All ServerProtect protocol messages begin with the 4-byte magic value 0x87654321 (little-endian: 21 43 65 87); monitor TCP port 5005 for this signature followed by command field 0x00012002 (73730 LE) as an indicator of exploitation.
  • Monitor EarthAgent.exe for access violations / heap corruption (eax=41414141 pattern) as an indicator of successful heap buffer overflow exploitation via CVE-2022-25330.
  • ·The static credential used for CMD_REGISTER authentication is hardcoded in EarthAgent.exe version 5.80.0.1575; any client presenting this credential to TCP port 5005 will be authenticated regardless of identity.
  • ·CVE-2022-25330 (integer overflow in command 73730) is chained with CVE-2022-25329 (static credential bypass): an unauthenticated attacker first registers via the static credential, then sends the malformed command 73730 to achieve heap overflow and potential RCE.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.