Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-2433

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2008-2433
Last Modified 07 Mar 2011 10:09:11
Published 27 Aug 2008 04:41:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2008-2433

Summary

The web management console in Trend Micro OfficeScan 7.0 through 8.0, Worry-Free Business Security 5.0, and Client/Server/Messaging Suite 3.5 and 3.6 creates a random session token based only on the login time, which makes it easier for remote attackers to hijack sessions via brute-force attacks. NOTE: this can be leveraged for code execution through an unspecified "manipulation of the configuration."

Vulnerable Systems

Application

  • Trend Micro Client Server Messaging Suite 3.5

  • Trend Micro Client Server Messaging Suite 3.6

  • Trend Micro Officescan 7.0

  • Trend Micro Officescan 7.3

  • Trend Micro Officescan 8.0

  • Trend Micro Worry Free Business Security 5.0


References

SECUNIA - 31373

XF - trend-micro-token-security-bypass(44597)

VUPEN - ADV-2008-2421

CONFIRM - http://www.trendmicro.com/ftp/documentation/readme/Readme_WFBS5%200_EN_CriticalPatch1404.txt

CONFIRM - http://www.trendmicro.com/ftp/documentation/readme/OSCE_8.0_SP1_Win_EN_CriticalPatch_B2402_readme.txt

SECTRACK - 1020732

BID - 30792

BUGTRAQ - 20080822 Secunia Research: Trend Micro Products Web Management Authentication Bypass

SREASON - 4191

MISC - http://secunia.com/secunia_research/2008-31/advisory/


Last Updated: 27 May 2016 10:47:52