Vulnerability in Trend Micro's ServerProtect for Linux [Update]
Security service provider iDefense has reported that a design flaw in user authentication on the web interface of Trend Micro's ServerProtect for Linux allows attackers to switch off the virus scanner on the server or change its settings. The integrated server listens in on TCP port 14942 by default and is protected by a user-configured password.
When a user logs on, the web interface stores a cookie called splx_2376_info on the client computer; the cookie contains a valid session ID. Attackers can gain full access to the configuration by transferring a cookie with the name splx_2376_info and a random value as a session ID. For instance, this can be done via an intercept proxy or raw HTTP requests.
The security hole affects Trend Micro's ServerProtect for Linux [Update] 1.25, 1.3 and 2.5 [/Update]. The vendor has provided updates that administrators are advised to install immediately. In addition, administrators should restrict access to the server port to trusted computers.
- Trend Micro ServerProtect Web Interface Authorization Bypass Vulnerability, iDefense's security advisory
- Download the patches for ServerProtect for Linux
(ehe)