Home Security Trend Micro patches email gateway, but leaves two flaws unpatched

Trend Micro has patched 10 vulnerabilities in its Email Encryption Gateway product that could be used for remote exploits, but left two others unpatched.

The vulnerabilities were discovered by the security firm Core Security which released its own report on them alongside Trend Micro's bulletin. Core Security has also release proof-of-concept code for these vulnerabilities.

The following issues were patched:

CVE-2018-6219: Insecure Update via HTTP (CVSS 7.5).

CVE-2018-6220: Arbitrary file write leading to command execution (CVSS 7.5).

CVE-2018-6221: Unvalidated Software Updates (CVSS 7.5).

CVE-2018-6222: Arbitrary logs locations leading to command execution (CVSS 7.2).

CVE-2018-6223: Missing authentication for appliance registration (CVSS 9.1).

CVE-2018-6225: XML external entity injection in a configuration script (CVSS 5.5).

CVE-2018-6226: Reflected cross-site scripting in two configuration scripts (CVSS 7.4).

CVE-2018-6227: Stored cross-site scripting in a policy script (CVSS 7.4).

CVE-2018-6228: SQL injection in a policy script (CVSS 4.9).

CVE-2018-6229: SQL injection in an edit policy script (CVSS 6.5).

The two unpatched flaws were:

CVE-2018-6224: Lack of cross-site request forgery protection (CVSS 6.8).

CVE-2018-6230: SQL injection in a search configuration script (CVSS 3.8).

Regarding these two vulnerabilities, Trend Micro made the following observations:

"CVE-2018-6224 (Lack of cross-site request forgery protection) - it was reported that this vulnerability could be chained with at least three other vulnerabilities listed above to lead to remote command execution. The latest TMEEG build addresses the three other vulnerabilities, which should negate the ability to attain remote command execution using this vulnerability.

"In addition, for both CVE-2018-6224 and CVS-2018-6230 (SQL injection in a search configuration script) - the affected components are located in the TMEEG Web console, which by design is not generally Internet-facing and is usually configured for the administrator to only access within the intranet. A recommendation to help mitigate exposure and exploit risk is to ensure that the Web console is secured on the intranet only and with limited access (e.g. assign allowed-access network segment via IP range for example)."

47 REASONS TO ATTEND YOW! 2018

With 4 keynotes + 33 talks + 10 in-depth workshops from world-class speakers, YOW! is your chance to learn more about the latest software trends, practices and technologies and interact with many of the people who created them.

Speakers this year include Anita Sengupta (Rocket Scientist and Sr. VP Engineering at Hyperloop One), Brendan Gregg (Sr. Performance Architect Netflix), Jessica Kerr (Developer, Speaker, Writer and Lead Engineer at Atomist) and Kent Beck (Author Extreme Programming, Test Driven Development).

YOW! 2018 is a great place to network with the best and brightest software developers in Australia. You’ll be amazed by the great ideas (and perhaps great talent) you’ll take back to the office!

Register now for YOW! Conference

· Sydney 29-30 November
· Brisbane 3-4 December
· Melbourne 6-7 December

Register now for YOW! Workshops

· Sydney 27-28 November
· Melbourne 4-5 December

REGISTER NOW!

LEARN HOW TO REDUCE YOUR RISK OF A CYBER ATTACK

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips

DOWNLOAD NOW!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the sitecame into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

 

Popular News

 

Telecommunications

 

Sponsored News

 

 

 

 

Connect