cbcvebase.
CVE-2022-25329
published 2022-02-24

CVE-2022-25329: Trend Micro ServerProtect 6.0/5.8 Information Server uses a static credential to perform authentication when a specific command is typed in the console. An…

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.65%
83.7th percentile
Trend Micro ServerProtect 6.0/5.8 Information Server uses a static credential to perform authentication when a specific command is typed in the console. An unauthenticated remote attacker with access to the Information Server could exploit this to register to the server and perform authenticated actions.

Affected

7 ranges
VendorProductVersion rangeFixed in
trend_microtrend_micro_serverprotect_for_emc_celerra
trend_microtrend_micro_serverprotect_for_microsoft_windows_novell_netware
trend_microtrend_micro_serverprotect_for_network_appliance_filers
trend_microtrend_micro_serverprotect_for_storage
trendmicroserverprotect
trendmicroserverprotect_for_network_appliance_filer
trendmicroserverprotect_for_storage

Detection & IOCsextracted from sources · hover to see the quote

processEarthAgent.exe
port5005
filenameserverprotect_info_server_cmd_73730_int32_overflow.py
registryHKLM\SOFTWARE\WOW6432Node\Trend\ServerProtect\CurrentVersion\InformationServer\
commandpython3 serverprotect_info_server_cmd_73730_int32_overflow.py -t -p 5005 -A -U administrator -P
bytes
21 43 65 87 02 00 00 00 00 00 00 00 00 00 00 00
  • Detect CMD_REGISTER (command 2) packets to TCP/5005 with console type 1 and the static credential string '!CRYPT!1087C8A854BBE88D3E554736F39' (UTF-16LE encoded) in the payload — this is the hardcoded credential used to authenticate to the Information Server.
  • Network traffic to TCP port 5005 beginning with magic bytes 0x21 0x43 0x65 0x87 should be inspected; this is the protocol magic for the ServerProtect Information Server and is present in both exploit stages (CMD_REGISTER and command 73730).
  • Detect command 73730 (0x12002) sent to TCP/5005 of EarthAgent.exe; an attacker-supplied max_cnt of 0x04924925 or similar large value triggers the integer overflow and subsequent heap buffer overflow.
  • Monitor EarthAgent.exe for access violations (code 0xc0000005) or heap corruption crashes, which are indicators of successful exploitation of the CVE-2022-25330 integer overflow chained with CVE-2022-25329 authentication bypass.
  • ·The static credential is only triggered when the CMD_REGISTER (command 2) message has console type set to 1; other console types may not use the static credential path.
  • ·CVE-2022-25329 (static credential) is a prerequisite for CVE-2022-25330 (integer overflow in command 73730) — an unauthenticated attacker must first register using the static credential before sending the malicious command 73730.
  • ·The affected binary is EarthAgent.exe version 5.80.0.1575; detections should be scoped to this version of Trend Micro ServerProtect for Microsoft Windows/Novell NetWare 5.8 build 1575.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.