CVE-2022-25329
published 2022-02-24CVE-2022-25329: Trend Micro ServerProtect 6.0/5.8 Information Server uses a static credential to perform authentication when a specific command is typed in the console. An…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.65%
83.7th percentile
Trend Micro ServerProtect 6.0/5.8 Information Server uses a static credential to perform authentication when a specific command is typed in the console. An unauthenticated remote attacker with access to the Information Server could exploit this to register to the server and perform authenticated actions.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trend_micro | trend_micro_serverprotect_for_emc_celerra | — | — |
| trend_micro | trend_micro_serverprotect_for_microsoft_windows_novell_netware | — | — |
| trend_micro | trend_micro_serverprotect_for_network_appliance_filers | — | — |
| trend_micro | trend_micro_serverprotect_for_storage | — | — |
| trendmicro | serverprotect | — | — |
| trendmicro | serverprotect_for_network_appliance_filer | — | — |
| trendmicro | serverprotect_for_storage | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandpython3 serverprotect_info_server_cmd_73730_int32_overflow.py -t -p 5005 -A -U administrator -P↗
bytes↗
21 43 65 87 02 00 00 00 00 00 00 00 00 00 00 00
- →Detect CMD_REGISTER (command 2) packets to TCP/5005 with console type 1 and the static credential string '!CRYPT!1087C8A854BBE88D3E554736F39' (UTF-16LE encoded) in the payload — this is the hardcoded credential used to authenticate to the Information Server. ↗
- →Network traffic to TCP port 5005 beginning with magic bytes 0x21 0x43 0x65 0x87 should be inspected; this is the protocol magic for the ServerProtect Information Server and is present in both exploit stages (CMD_REGISTER and command 73730). ↗
- →Detect command 73730 (0x12002) sent to TCP/5005 of EarthAgent.exe; an attacker-supplied max_cnt of 0x04924925 or similar large value triggers the integer overflow and subsequent heap buffer overflow. ↗
- →Monitor EarthAgent.exe for access violations (code 0xc0000005) or heap corruption crashes, which are indicators of successful exploitation of the CVE-2022-25330 integer overflow chained with CVE-2022-25329 authentication bypass. ↗
- ·The static credential is only triggered when the CMD_REGISTER (command 2) message has console type set to 1; other console types may not use the static credential path. ↗
- ·CVE-2022-25329 (static credential) is a prerequisite for CVE-2022-25330 (integer overflow in command 73730) — an unauthenticated attacker must first register using the static credential before sending the malicious command 73730. ↗
- ·The affected binary is EarthAgent.exe version 5.80.0.1575; detections should be scoped to this version of Trend Micro ServerProtect for Microsoft Windows/Novell NetWare 5.8 build 1575. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
2022-02-24
Published