Sign-up

ID

VAR-201805-0275


CVE

CVE-2018-10354


TITLE

Trend Micro Email Encryption Gateway Command injection vulnerability

Trust: 1.4

sources: JVNDB: JVNDB-2018-005204 // CNNVD: CNNVD-201805-776

DESCRIPTION

A command injection remote command execution vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow a remote attacker to execute arbitrary code on vulnerable installations due to a flaw in the LauncherServer. Authentication is required to exploit this vulnerability. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code under the context of root. Multiple SQL-injection vulnerabilities 2. A command-injection vulnerability 3. This may aid in further attacks

Trust: 2.61

sources: NVD: CVE-2018-10354 // JVNDB: JVNDB-2018-005204 // ZDI: ZDI-18-416 // BID: 104314 // VULHUB: VHN-120105

AFFECTED PRODUCTS

vendor:trendmicromodel:email encryption gatewayscope:lteversion:5.5

Trust: 1.0

vendor:trend micromodel:email encryption gatewayscope:eqversion:5.5

Trust: 0.8

vendor:trend micromodel:encryption for email gatewayscope: - version: -

Trust: 0.7

vendor:trendmicromodel:email encryption gatewayscope:eqversion:5.5

Trust: 0.6

vendor:trend micromodel:email encryption gateway buildscope:eqversion:5.51111

Trust: 0.3

vendor:trend micromodel:email encryption gateway buildscope:eqversion:5.51107

Trust: 0.3

vendor:trend micromodel:email encryption gateway buildscope:eqversion:5.51073

Trust: 0.3

sources: ZDI: ZDI-18-416 // BID: 104314 // JVNDB: JVNDB-2018-005204 // CNNVD: CNNVD-201805-776 // NVD: CVE-2018-10354

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-10354
value: HIGH

Trust: 1.0

NVD: CVE-2018-10354
value: HIGH

Trust: 0.8

ZDI: CVE-2018-10354
value: HIGH

Trust: 0.7

CNNVD: CNNVD-201805-776
value: HIGH

Trust: 0.6

VULHUB: VHN-120105
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2018-10354
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 2.5

VULHUB: VHN-120105
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-10354
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: ZDI: ZDI-18-416 // VULHUB: VHN-120105 // JVNDB: JVNDB-2018-005204 // CNNVD: CNNVD-201805-776 // NVD: CVE-2018-10354

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.1

problemtype:CWE-77

Trust: 0.9

sources: VULHUB: VHN-120105 // JVNDB: JVNDB-2018-005204 // NVD: CVE-2018-10354

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201805-776

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201805-776

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-005204

PATCH
title:1119349url:https://success.trendmicro.com/solution/1119349
Trust: 1.5
title:Trend Micro Email Encryption Gateway Fixes for command injection vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=83661
Trust: 0.6
sources:
            
            
            ZDI: ZDI-18-416 // 
            
            
            
            JVNDB: JVNDB-2018-005204 // 
            
            
            
            CNNVD: CNNVD-201805-776

EXTERNAL IDS
db:NVDid:CVE-2018-10354
Trust: 3.5
db:ZDIid:ZDI-18-416
Trust: 2.7
db:JVNDBid:JVNDB-2018-005204
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-5552
Trust: 0.7
db:CNNVDid:CNNVD-201805-776
Trust: 0.6
db:ZDIid:ZDI-18-418
Trust: 0.3
db:ZDIid:ZDI-18-411
Trust: 0.3
db:ZDIid:ZDI-18-419
Trust: 0.3
db:ZDIid:ZDI-18-415
Trust: 0.3
db:BIDid:104314
Trust: 0.3
db:VULHUBid:VHN-120105
Trust: 0.1
sources:
            
            
            ZDI: ZDI-18-416 // 
            
            
            
            VULHUB: VHN-120105 // 
            
            
            
            BID: 104314 // 
            
            
            
            JVNDB: JVNDB-2018-005204 // 
            
            
            
            CNNVD: CNNVD-201805-776 // 
            
            
            
            NVD: CVE-2018-10354

REFERENCES
url:https://success.trendmicro.com/solution/1119349
Trust: 2.4
url:https://www.zerodayinitiative.com/advisories/zdi-18-416/
Trust: 2.0
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10354
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-10354
Trust: 0.8
url:http://www.trend.com
Trust: 0.3
url:trend micro encryption for email gateway dbcrypto authentication weakness vulnerability
Trust: 0.3
url:https://www.zerodayinitiative.com/advisories/zdi-18-411/
Trust: 0.3
url:https://www.zerodayinitiative.com/advisories/zdi-18-419/
Trust: 0.3
url:https://www.zerodayinitiative.com/advisories/zdi-18-418/
Trust: 0.3
url:https://www.zerodayinitiative.com/advisories/zdi-18-415/
Trust: 0.3
sources:
            
            
            ZDI: ZDI-18-416 // 
            
            
            
            VULHUB: VHN-120105 // 
            
            
            
            BID: 104314 // 
            
            
            
            JVNDB: JVNDB-2018-005204 // 
            
            
            
            CNNVD: CNNVD-201805-776 // 
            
            
            
            NVD: CVE-2018-10354

CREDITS
Steven Seeley (mr_me) of Source Incite
Trust: 1.0
sources:
            
            
            ZDI: ZDI-18-416 // 
            
            
            
            BID: 104314

SOURCES
db:ZDIid:ZDI-18-416
db:VULHUBid:VHN-120105
db:BIDid:104314
db:JVNDBid:JVNDB-2018-005204
db:CNNVDid:CNNVD-201805-776
db:NVDid:CVE-2018-10354

LAST UPDATE DATE
2024-11-23T22:17:30.701000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-18-416date:2018-05-04T00:00:00
db:VULHUBid:VHN-120105date:2019-10-03T00:00:00
db:BIDid:104314date:2018-05-04T00:00:00
db:JVNDBid:JVNDB-2018-005204date:2018-07-10T00:00:00
db:CNNVDid:CNNVD-201805-776date:2019-10-23T00:00:00
db:NVDid:CVE-2018-10354date:2024-11-21T03:41:14.947

SOURCES RELEASE DATE
db:ZDIid:ZDI-18-416date:2018-05-04T00:00:00
db:VULHUBid:VHN-120105date:2018-05-23T00:00:00
db:BIDid:104314date:2018-05-04T00:00:00
db:JVNDBid:JVNDB-2018-005204date:2018-07-10T00:00:00
db:CNNVDid:CNNVD-201805-776date:2018-05-24T00:00:00
db:NVDid:CVE-2018-10354date:2018-05-23T16:29:00.380