Vulnerability

    Trend Micro Virus Control System(VCS)

Affected

    Trend Micro Virus Control System(VCS) 1.8

Description

    Miwa   Nobuo   found   following   (SNS   Advisory   No.29).   The
    vulnerability was found  in a CGI  program included in  TrendMicro
    Virus Control System(VCS).  It  may be possible for a  remote user
    to access administrative program and data without authentication.

    VCS is  a software  package designed  to operate  and manage  anti
    virus product included in  gateways, file servers, groupwares  and
    clients.  In order to  manage VCS, an administrator accesses  with
    following URL.

        http://VCSServer/tvcs/EnterPassword.html

    Password  for  its  administrator  is  required then normally.  By
    calling a certain CGI program with unusual way, it is possible  to
    change its configuration and view configuration files.

    Details can not be disclosed now because it has not been fixed yet
    and it will not be fixed immediately.

    Tested versions:
    - Virus Control System(VCS) Ver.1.8 Japanese
    - Virus Control System(VCS) Ver.1.8 English

Solution

    No patches are available now.  Trend Micro support team  responded
    that this problem will be fixed end of this year.  Until the patch
    will  be  released,  set  up  access  control  to refuse access to
    servers in which VCS is installed by non-administrative user.