CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2018-6235 – Trend Micro Maximum Security tmnciesc Out-Of-Bounds Write Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2018-6235
An Out-of-Bounds write privilege escalation vulnerability in Trend Micro Maximum Security (Consumer) 2018 could allow a local attacker to escalate privileges on vulnerable installations due to a flaw within processing of IOCTL 0x222814 by the tmnciesc.sys driver. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. Una vulnerabilidad de escalado de privilegios por escritura fuera de límites en Trend Micro Maximum Security (Consumer) 2018 podría permitir que un atacante local escale privilegios en instalaciones vulnerables debido a un error en el procesamiento de llamadas IOCTL 0x222814 por parte del controlador tmnciesc.sys. En primer lugar, un atacante debe obtener la capacidad de ejecutar código de bajos privilegios en el sistema objetivo para explotar esta vulnerabilidad. This vulnerability allows local attackers to escalate privileges on vulnerable installations of Trend Micro Maximum Security. • https://esupport.trendmicro.com/en-us/home/pages/technical-support/1119591.aspx https://www.zerodayinitiative.com/advisories/ZDI-18-269 • CWE-787: Out-of-bounds Write •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2018-6234 – Trend Micro Maximum Security tmnciesc Out-Of-Bounds Read Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2018-6234
An Out-of-Bounds Read Information Disclosure vulnerability in Trend Micro Maximum Security (Consumer) 2018 could allow a local attacker to disclose sensitive information on vulnerable installations due to a flaw within processing of IOCTL 0x222814 by the tmnciesc.sys driver. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. Una vulnerabilidad de divulgación de información por lectura fuera de límites en Trend Micro Maximum Security (Consumer) 2018 podría permitir que un atacante local revele información sensible en instalaciones vulnerables debido a un error en el procesamiento de llamadas IOCTL 0x222814 por parte del controlador tmnciesc.sys. En primer lugar, un atacante debe obtener la capacidad de ejecutar código de bajos privilegios en el sistema objetivo para explotar esta vulnerabilidad. This vulnerability allows local attackers disclose sensitive information on vulnerable installations of Trend Micro Maximum Security. • https://esupport.trendmicro.com/en-us/home/pages/technical-support/1119591.aspx https://www.zerodayinitiative.com/advisories/ZDI-18-268 • CWE-125: Out-of-bounds Read CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2018-6233 – Trend Micro Maximum Security tmnciesc Buffer Overflow Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2018-6233
A buffer overflow privilege escalation vulnerability in Trend Micro Maximum Security (Consumer) 2018 could allow a local attacker to escalate privileges on vulnerable installations due to a flaw within processing of IOCTL 0x222060 by the tmnciesc.sys driver. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. Una vulnerabilidad de escalado de privilegios por desbordamiento de búfer en Trend Micro Maximum Security (Consumer) 2018 podría permitir que un atacante local escale privilegios en instalaciones vulnerables debido a un error en el procesamiento de llamadas IOCTL 0x222060 por parte del controlador tmnciesc.sys. En primer lugar, un atacante debe obtener la capacidad de ejecutar código de bajos privilegios en el sistema objetivo para explotar esta vulnerabilidad. This vulnerability allows local attackers to escalate privileges on vulnerable installations of Trend Micro Maximum Security. • https://esupport.trendmicro.com/en-us/home/pages/technical-support/1119591.aspx https://www.zerodayinitiative.com/advisories/ZDI-18-267 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2018-6231 – Trend Micro Smart Protection Server Auth Command Injection Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2018-6231
A server auth command injection authentication bypass vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.3 and below could allow remote attackers to escalate privileges on vulnerable installations. Una vulnerabilidad de omisión de autenticación y de inyección de comandos auth del servidor en Trend Micro Smart Protection Server (Standalone) en versiones 3.3 y anteriores podría permitir que los atacantes remotos escalen privilegios en instalaciones vulnerables. This vulnerability allows remote attackers to escalate privileges on vulnerable installations of Trend Micro Smart Protection Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of credentials provided at login. When parsing the username, the process does not properly validate a user-supplied string before using it to execute a system call. • https://success.trendmicro.com/solution/1119385 https://www.zerodayinitiative.com/advisories/ZDI-18-218 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 2CVE-2018-6225 – Trend Micro Email Encryption Gateway 5.5 (Build 1111.00) - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2018-6225
An XML external entity injection (XXE) vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an authenticated user to expose a normally protected configuration script. Una vulnerabilidad XEE (XML External Entity) en Trend Micro Email Encryption Gateway 5.5 podría permitir que un usuario autenticado exponga un script de configuración normalmente protegido. Trend Micro Email Encryption Gateway suffers from cleartext transmission of sensitive information, missing authentication, cross site request forgery, cross site scripting, and various other vulnerabilities. • https://www.exploit-db.com/exploits/44166 https://success.trendmicro.com/solution/1119349 https://www.coresecurity.com/advisories/trend-micro-email-encryption-gateway-multiple-vulnerabilities • CWE-611: Improper Restriction of XML External Entity Reference •