Core Security experts have found multiple security flaws in Trend Micro Linux-based Email Encryption Gateway. Some of the vulnerabilities have been rated as critical and severe and received the CVE identification numbers CVE-2018-6219 through CVE-2018-6230.
According to the security researchers, the most severe vulnerability could be exploited by a local or remote hacker with access to the targeted system to execute arbitrary commands with root privileges.
“Encryption for Email Gateway [1] is a Linux-based software solution providing the ability to perform the encryption and decryption of email at the corporate gateway, regardless of the email client, and the platform from which it originated. The encryption and decryption of email on the TMEEG client is controlled by a Policy Manager that enables an administrator to configure policies based on various parameters, such as sender and recipient email addresses,” Core Security experts say.
“Multiple vulnerabilities were found in the Trend Micro Email Encryption Gateway web console that would allow a remote unauthenticated attacker to gain command execution as root.”
The most critical security flaw is CVE-2018-6223, which is related to missing authentication for appliance registration.
System administrators can configure the virtual appliance running Email Encryption Gateway during the deployment process upon deployment via a registration endpoint.
The experts found that hackers can access the endpoint without any authentication, to set administrator credentials, and to make some other changes to the configuration.
“The registration endpoint is provided for system administrators to configure the virtual appliance upon deployment. However, this endpoint remains accessible without authentication even after the appliance is configured, which would allow attackers to set configuration parameters such as the administrator username and password.” the security analysis reads.
In addition, the researchers found two high severity cross-site scripting (XSS) flaws, an arbitrary file write issue which can lead to command execution, am arbitrary log file locations leading command execution, and unvalidated software updates.
The other vulnerabilities the experts have registered are SQL and XML external entity (XXE) injections.
The affected packages are Trend Micro Email Encryption Gateway 5.5 (Build 1111.00) and earlier, Trend Micro addressed ten of the vulnerabilities with the version 5.5 build 1129.
Considering the report timeline, it appears that Trend Micro have spent more than six months to issue the security patches.
Trend Micro reported that due to the difficulties of implementing a fix, a medium severity CSRF issue and a low severity SQL injection vulnerability have not been patched yet.
