Attackers could exploit security holes in Trend Micro Inc.'s ServerProtect line to cause a denial-of-service or run malicious code, the iDefense division of Mountain View, Calif.-based VeriSign Inc. warned in a series of advisories.
ServerProtect provides comprehensive antivirus scanning for servers, detecting and removing viruses from typical and compressed files in real time before they reach the user, Trend Micro says on its Web site. The Tokyo-based vendor adds that "administrators can use a Windows-based console for centralized management of virus outbreaks, virus scanning, virus pattern file updates, notifications, and remote installation."
In addition to Trend Micro's ServerProtect product for Microsoft Windows/Novell Netware, there are also version for Linux systems, Network Appliance Inc. filters and for EMC Corp.'s Celerra file servers.
According to iDefense, the security holes are:
A denial-of-service vulnerability in the EarthAgent daemon. By exploiting this, attackers could cause the target process to consume 100% of available [central processing unit] CPU resources, iDefense said, adding, "The problem specifically exists within ServerProtect EarthAgent in the handling of maliciously crafted packets transmitted with the magic value 'x21x43x65x87' targeting TCP port 5005. A memory leak also occurs with each received exploit packet, allowing an attacker to exhaust all available memory resources with repeated attack."
Trend Micro has issued a hotfix that it says "prevents the information server's CPU usage from increasing when responding to the malicious command."
As a workaround, iDefense recommends users "employ firewalls, access control lists or other TCP/UDP restriction mechanisms to limit access to vulnerable systems on TCP port 5005."
A heap overflow flaw in the ServerProtect Management Console. Remote attackers could launch malicious code with the privileges of the underlying Web server by exploiting a problem within the relay.dll ISAPI application when large POST requests are processed with "wrapped" length values.
Another Management Console flaw allows remote attackers to do the same type of damage. "The problem specifically exists within the isaNVWRequest.dll ISAPI application upon processing of large POST requests with 'wrapped' length values," iDefense said.
The Management Console also suffers from an input validation vulnerability. Attackers could exploit this to view the contents of arbitrary files on the underlying system. "The problem specifically exists within the handling of the IMAGE parameter in the script rptserver.asp," iDefense said. "An attacker can utilize directory traversal modifiers to traverse outside the system temporary directory and access any file on the same volume."
Trend Micro said its products will eventually be updated, sealing the security holes in the process. For now, iDefense said users can mitigate the Management Console threats by employing firewalls and accessing control lists or other TCP/UDP restriction mechanisms "to limit access to the vulnerable system on the configured port, generally TCP port 80."