CVE-2021-36745
published 2021-09-29CVE-2021-36745: A vulnerability in Trend Micro ServerProtect for Storage 6.0, ServerProtect for EMC Celerra 5.8, ServerProtect for Network Appliance Filers 5.8, and…
PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
9.02%
94.6th percentile
A vulnerability in Trend Micro ServerProtect for Storage 6.0, ServerProtect for EMC Celerra 5.8, ServerProtect for Network Appliance Filers 5.8, and ServerProtect for Microsoft Windows / Novell Netware 5.8 could allow a remote attacker to bypass authentication on affected installations.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trend_micro | trend_micro_serverprotect_for_emc_celerra | — | — |
| trend_micro | trend_micro_serverprotect_for_microsoft_windows_novell_netware | — | — |
| trend_micro | trend_micro_serverprotect_for_network_appliance_filers | — | — |
| trend_micro | trend_micro_serverprotect_for_storage | — | — |
| trendmicro | serverprotect | — | — |
| trendmicro | serverprotect | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
21 43 65 87
- →Detect unauthenticated CMD_REGISTER (command 2) messages to TCP port 5005 on Trend Micro ServerProtect Information Server (EarthAgent.exe), especially where console type is 1 and the static credential string '!CRYPT!1087C8A854BBE88D3E554736F39' is present in the payload. ↗
- →Detect command 73730 (0x12002) messages sent to TCP port 5005 of EarthAgent.exe; a large max_cnt value (e.g., 0x04924925) in the cmd_73730 struct indicates an integer overflow exploitation attempt. ↗
- →All ServerProtect protocol messages begin with the 4-byte magic value 0x87654321 (little-endian: 21 43 65 87); monitor TCP port 5005 for this signature followed by command field 0x00012002 (73730 LE) as an indicator of exploitation. ↗
- →Monitor EarthAgent.exe for access violations / heap corruption (eax=41414141 pattern) as an indicator of successful heap buffer overflow exploitation via CVE-2022-25330. ↗
- ·The static credential used for CMD_REGISTER authentication is hardcoded in EarthAgent.exe version 5.80.0.1575; any client presenting this credential to TCP port 5005 will be authenticated regardless of identity. ↗
- ·CVE-2022-25330 (integer overflow in command 73730) is chained with CVE-2022-25329 (static credential bypass): an unauthenticated attacker first registers via the static credential, then sends the malformed command 73730 to achieve heap overflow and potential RCE. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
https://success.trendmicro.com/jp/solution/000289030https://success.trendmicro.com/solution/000289038https://www.zerodayinitiative.com/advisories/ZDI-21-1115/https://success.trendmicro.com/jp/solution/000289030https://success.trendmicro.com/solution/000289038https://www.zerodayinitiative.com/advisories/ZDI-21-1115/
2021-09-29
Published