Sign-up

ID

VAR-201805-0276


CVE

CVE-2018-10355


TITLE

Trend Micro Email Encryption Gateway Vulnerabilities related to certificate and password management

Trust: 0.8

sources: JVNDB: JVNDB-2018-005203

DESCRIPTION

An authentication weakness vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to recover user passwords on vulnerable installations due to a flaw in the DBCrypto class. An attacker must first obtain access to the user database on the target system in order to exploit this vulnerability. When storing user passwords, the process stores them in a recoverable format using a hard-coded key. An attacker can then leverage this vulnerability to decrypt existing passwords. Multiple SQL-injection vulnerabilities 2. A command-injection vulnerability 3. An insecure authentication weakness Exploiting these issues could allow an attacker to access or modify data, or exploit latent vulnerabilities in the underlying database, execute arbitrary command, bypass authentication mechanism, execute arbitrary code and obtain sensitive information. This may aid in further attacks

Trust: 2.61

sources: NVD: CVE-2018-10355 // JVNDB: JVNDB-2018-005203 // ZDI: ZDI-18-411 // BID: 104314 // VULHUB: VHN-120106

AFFECTED PRODUCTS

vendor:trendmicromodel:email encryption gatewayscope:lteversion:5.5

Trust: 1.0

vendor:trend micromodel:email encryption gatewayscope:eqversion:5.5

Trust: 0.8

vendor:trend micromodel:encryption for email gatewayscope: - version: -

Trust: 0.7

vendor:trendmicromodel:email encryption gatewayscope:eqversion:5.5

Trust: 0.6

vendor:trend micromodel:email encryption gateway buildscope:eqversion:5.51111

Trust: 0.3

vendor:trend micromodel:email encryption gateway buildscope:eqversion:5.51107

Trust: 0.3

vendor:trend micromodel:email encryption gateway buildscope:eqversion:5.51073

Trust: 0.3

sources: ZDI: ZDI-18-411 // BID: 104314 // JVNDB: JVNDB-2018-005203 // CNNVD: CNNVD-201805-775 // NVD: CVE-2018-10355

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-10355
value: HIGH

Trust: 1.0

NVD: CVE-2018-10355
value: HIGH

Trust: 0.8

ZDI: CVE-2018-10355
value: LOW

Trust: 0.7

CNNVD: CNNVD-201805-775
value: HIGH

Trust: 0.6

VULHUB: VHN-120106
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2018-10355
severity: LOW
baseScore: 1.9
vectorString: AV:L/AC:M/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.4
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 2.5

VULHUB: VHN-120106
severity: LOW
baseScore: 1.9
vectorString: AV:L/AC:M/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.4
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-10355
baseSeverity: HIGH
baseScore: 7.0
vectorString: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.0
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: ZDI: ZDI-18-411 // VULHUB: VHN-120106 // JVNDB: JVNDB-2018-005203 // CNNVD: CNNVD-201805-775 // NVD: CVE-2018-10355

PROBLEMTYPE DATA

problemtype:CWE-522

Trust: 1.1

problemtype:CWE-255

Trust: 0.9

sources: VULHUB: VHN-120106 // JVNDB: JVNDB-2018-005203 // NVD: CVE-2018-10355

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201805-775

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201805-775

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-005203

PATCH
title:1119349url:https://success.trendmicro.com/solution/1119349
Trust: 1.5
title:Trend Micro Email Encryption Gateway Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=83660
Trust: 0.6
sources:
            
            
            ZDI: ZDI-18-411 // 
            
            
            
            JVNDB: JVNDB-2018-005203 // 
            
            
            
            CNNVD: CNNVD-201805-775

EXTERNAL IDS
db:NVDid:CVE-2018-10355
Trust: 3.5
db:ZDIid:ZDI-18-411
Trust: 2.7
db:JVNDBid:JVNDB-2018-005203
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-5513
Trust: 0.7
db:CNNVDid:CNNVD-201805-775
Trust: 0.7
db:ZDIid:ZDI-18-418
Trust: 0.3
db:ZDIid:ZDI-18-419
Trust: 0.3
db:ZDIid:ZDI-18-415
Trust: 0.3
db:ZDIid:ZDI-18-416
Trust: 0.3
db:BIDid:104314
Trust: 0.3
db:VULHUBid:VHN-120106
Trust: 0.1
sources:
            
            
            ZDI: ZDI-18-411 // 
            
            
            
            VULHUB: VHN-120106 // 
            
            
            
            BID: 104314 // 
            
            
            
            JVNDB: JVNDB-2018-005203 // 
            
            
            
            CNNVD: CNNVD-201805-775 // 
            
            
            
            NVD: CVE-2018-10355

REFERENCES
url:https://success.trendmicro.com/solution/1119349
Trust: 2.4
url:https://www.zerodayinitiative.com/advisories/zdi-18-411/
Trust: 2.0
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10355
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-10355
Trust: 0.8
url:http://www.trend.com
Trust: 0.3
url:trend micro encryption for email gateway dbcrypto authentication weakness vulnerability
Trust: 0.3
url:https://www.zerodayinitiative.com/advisories/zdi-18-419/
Trust: 0.3
url:https://www.zerodayinitiative.com/advisories/zdi-18-418/
Trust: 0.3
url:https://www.zerodayinitiative.com/advisories/zdi-18-416/
Trust: 0.3
url:https://www.zerodayinitiative.com/advisories/zdi-18-415/
Trust: 0.3
sources:
            
            
            ZDI: ZDI-18-411 // 
            
            
            
            VULHUB: VHN-120106 // 
            
            
            
            BID: 104314 // 
            
            
            
            JVNDB: JVNDB-2018-005203 // 
            
            
            
            CNNVD: CNNVD-201805-775 // 
            
            
            
            NVD: CVE-2018-10355

CREDITS
Steven Seeley of Source Incite
Trust: 0.7
sources:
            
            
            ZDI: ZDI-18-411

SOURCES
db:ZDIid:ZDI-18-411
db:VULHUBid:VHN-120106
db:BIDid:104314
db:JVNDBid:JVNDB-2018-005203
db:CNNVDid:CNNVD-201805-775
db:NVDid:CVE-2018-10355

LAST UPDATE DATE
2024-11-23T22:17:30.837000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-18-411date:2018-05-04T00:00:00
db:VULHUBid:VHN-120106date:2019-10-03T00:00:00
db:BIDid:104314date:2018-05-04T00:00:00
db:JVNDBid:JVNDB-2018-005203date:2018-07-10T00:00:00
db:CNNVDid:CNNVD-201805-775date:2019-10-23T00:00:00
db:NVDid:CVE-2018-10355date:2024-11-21T03:41:15.057

SOURCES RELEASE DATE
db:ZDIid:ZDI-18-411date:2018-05-04T00:00:00
db:VULHUBid:VHN-120106date:2018-05-23T00:00:00
db:BIDid:104314date:2018-05-04T00:00:00
db:JVNDBid:JVNDB-2018-005203date:2018-07-10T00:00:00
db:CNNVDid:CNNVD-201805-775date:2018-05-24T00:00:00
db:NVDid:CVE-2018-10355date:2018-05-23T16:29:00.427