Sign-up

ID

VAR-201805-0273


CVE

CVE-2018-10352


TITLE

Trend Micro Email Encryption Gateway In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-005206

DESCRIPTION

A vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow a remote attacker to execute arbitrary SQL statements on vulnerable installations due to a flaw in the formConfiguration class. Authentication is required to exploit this vulnerability. The issue results from the lack of proper validation of user-supplied strings before using them to construct SQL queries. An attacker can leverage this vulnerability to execute code under the context of root. Multiple SQL-injection vulnerabilities 2. A command-injection vulnerability 3. An insecure authentication weakness Exploiting these issues could allow an attacker to access or modify data, or exploit latent vulnerabilities in the underlying database, execute arbitrary command, bypass authentication mechanism, execute arbitrary code and obtain sensitive information. This may aid in further attacks. There is an SQL injection vulnerability in the formConfiguration class in Trend Micro TMEEG version 5.5

Trust: 2.61

sources: NVD: CVE-2018-10352 // JVNDB: JVNDB-2018-005206 // ZDI: ZDI-18-418 // BID: 104314 // VULHUB: VHN-120103

AFFECTED PRODUCTS

vendor:trendmicromodel:email encryption gatewayscope:lteversion:5.5

Trust: 1.0

vendor:trend micromodel:email encryption gatewayscope:eqversion:5.5

Trust: 0.8

vendor:trend micromodel:encryption for email gatewayscope: - version: -

Trust: 0.7

vendor:trendmicromodel:email encryption gatewayscope:eqversion:5.5

Trust: 0.6

vendor:trend micromodel:email encryption gateway buildscope:eqversion:5.51111

Trust: 0.3

vendor:trend micromodel:email encryption gateway buildscope:eqversion:5.51107

Trust: 0.3

vendor:trend micromodel:email encryption gateway buildscope:eqversion:5.51073

Trust: 0.3

sources: ZDI: ZDI-18-418 // BID: 104314 // JVNDB: JVNDB-2018-005206 // CNNVD: CNNVD-201805-778 // NVD: CVE-2018-10352

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-10352
value: HIGH

Trust: 1.0

NVD: CVE-2018-10352
value: HIGH

Trust: 0.8

ZDI: CVE-2018-10352
value: MEDIUM

Trust: 0.7

CNNVD: CNNVD-201805-778
value: MEDIUM

Trust: 0.6

VULHUB: VHN-120103
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-10352
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 2.5

VULHUB: VHN-120103
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-10352
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: ZDI: ZDI-18-418 // VULHUB: VHN-120103 // JVNDB: JVNDB-2018-005206 // CNNVD: CNNVD-201805-778 // NVD: CVE-2018-10352

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.9

sources: VULHUB: VHN-120103 // JVNDB: JVNDB-2018-005206 // NVD: CVE-2018-10352

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201805-778

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-201805-778

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-005206

PATCH
title:1119349url:https://success.trendmicro.com/solution/1119349
Trust: 1.5
title:Trend Micro Email Encryption Gateway SQL Repair measures for injecting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=83663
Trust: 0.6
sources:
            
            
            ZDI: ZDI-18-418 // 
            
            
            
            JVNDB: JVNDB-2018-005206 // 
            
            
            
            CNNVD: CNNVD-201805-778

EXTERNAL IDS
db:NVDid:CVE-2018-10352
Trust: 3.5
db:ZDIid:ZDI-18-418
Trust: 2.7
db:JVNDBid:JVNDB-2018-005206
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-5550
Trust: 0.7
db:CNNVDid:CNNVD-201805-778
Trust: 0.7
db:NSFOCUSid:39854
Trust: 0.6
db:ZDIid:ZDI-18-411
Trust: 0.3
db:ZDIid:ZDI-18-419
Trust: 0.3
db:ZDIid:ZDI-18-415
Trust: 0.3
db:ZDIid:ZDI-18-416
Trust: 0.3
db:BIDid:104314
Trust: 0.3
db:VULHUBid:VHN-120103
Trust: 0.1
sources:
            
            
            ZDI: ZDI-18-418 // 
            
            
            
            VULHUB: VHN-120103 // 
            
            
            
            BID: 104314 // 
            
            
            
            JVNDB: JVNDB-2018-005206 // 
            
            
            
            CNNVD: CNNVD-201805-778 // 
            
            
            
            NVD: CVE-2018-10352

REFERENCES
url:https://success.trendmicro.com/solution/1119349
Trust: 2.4
url:https://www.zerodayinitiative.com/advisories/zdi-18-418/
Trust: 2.0
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10352
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-10352
Trust: 0.8
url:http://www.nsfocus.net/vulndb/39854
Trust: 0.6
url:http://www.trend.com
Trust: 0.3
url:trend micro encryption for email gateway dbcrypto authentication weakness vulnerability
Trust: 0.3
url:https://www.zerodayinitiative.com/advisories/zdi-18-411/
Trust: 0.3
url:https://www.zerodayinitiative.com/advisories/zdi-18-419/
Trust: 0.3
url:https://www.zerodayinitiative.com/advisories/zdi-18-416/
Trust: 0.3
url:https://www.zerodayinitiative.com/advisories/zdi-18-415/
Trust: 0.3
sources:
            
            
            ZDI: ZDI-18-418 // 
            
            
            
            VULHUB: VHN-120103 // 
            
            
            
            BID: 104314 // 
            
            
            
            JVNDB: JVNDB-2018-005206 // 
            
            
            
            CNNVD: CNNVD-201805-778 // 
            
            
            
            NVD: CVE-2018-10352

CREDITS
Steven Seeley (mr_me) of Source Incite
Trust: 1.0
sources:
            
            
            ZDI: ZDI-18-418 // 
            
            
            
            BID: 104314

SOURCES
db:ZDIid:ZDI-18-418
db:VULHUBid:VHN-120103
db:BIDid:104314
db:JVNDBid:JVNDB-2018-005206
db:CNNVDid:CNNVD-201805-778
db:NVDid:CVE-2018-10352

LAST UPDATE DATE
2024-11-23T22:17:30.769000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-18-418date:2018-05-04T00:00:00
db:VULHUBid:VHN-120103date:2018-06-22T00:00:00
db:BIDid:104314date:2018-05-04T00:00:00
db:JVNDBid:JVNDB-2018-005206date:2018-07-10T00:00:00
db:CNNVDid:CNNVD-201805-778date:2018-05-24T00:00:00
db:NVDid:CVE-2018-10352date:2024-11-21T03:41:14.730

SOURCES RELEASE DATE
db:ZDIid:ZDI-18-418date:2018-05-04T00:00:00
db:VULHUBid:VHN-120103date:2018-05-23T00:00:00
db:BIDid:104314date:2018-05-04T00:00:00
db:JVNDBid:JVNDB-2018-005206date:2018-07-10T00:00:00
db:CNNVDid:CNNVD-201805-778date:2018-05-24T00:00:00
db:NVDid:CVE-2018-10352date:2018-05-23T16:29:00.273