Check Point Advisories

TrendMicro InterScan Viruswall Directory Traversal (CVE-2004-1859)

Check Point Reference: CPAI-2004-110
Date Published: 12 Oct 2009
Severity: High
Last Updated: Monday 12 October, 2009
Source:
Industry Reference:CVE-2004-1859
Protection Provided by:

Security Gateway
R81, R80, R77, R75
Who is Vulnerable?
Vulnerability Description There is a directory traversal vulnerability within the web server (ishttpd), which is a component of Trend Micro's Interscan Viruswall product. Viruswall is an enterprise level proxy that monitors incoming connections over HTTP, SMTP and FTP for file transfers. If Viruswall detects a file being transferred over any of these three protocols, it will scan the file for viruses before passing the file to the user that made the corresponding request through the proxy. The proxy product within TrendMicro InterScan is vulnerable to a directory traversal attack. A remote attacker can enumerate the underlying file system and access files that are not meant to be accessible to the attacker. Since TrendMicro Interscan runs under LOCAL_SYSTEM privileges, it is possible for the remote attacker to gain access to all the files on the remote server. There is no difference in the behaviour of the attack target when an exploit attempt is encountered versus regular traffic.

Protection Overview

This protection will detect and block attempts to exploit this vulnerability . Note that in order for this defense to protect your TrendMicro Interscan Proxy Server, you will need to configure your proxy port to work with the HTTP protocol. For example, if the proxy port is 8080, do the following: 1.In the Services tree, click on TCP > HTTP_and_HTTPS_proxy. The TCP Service Properties window opens. 2. Click on Advanced. Select the Protocol Type: HTTP.If the proxy works on a different port, you can create a new service with the HTTP protocol type under Services > TCP.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75

  1. In the IPS tab, click Protections and find the TrendMicro InterScan Viruswall Directory Traversal protection using the Search tool and Edit the protection's settings.
  2. Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name:  Web Server Enforcement Violation.
Attack Information:  TrendMicro InterScan Viruswall directory traversal

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK