CVE-2008-2433
secunia-trendmicro.txt
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The web management console in Trend Micro OfficeScan 7.0 through 8.0, Worry-Free Business Security 5.0, and Client/Server/Messaging Suite 3.5 and 3.6 creates a random session token based only on the login time, which makes it easier for remote attackers to hijack sessions via brute-force attacks. NOTE: this can be leveraged for code execution through an unspecified "manipulation of the configuration."
La consola de administración web en Trend Micro OfficeScan 7.0 hasta 8.0, Worry-Free Business Security 5.0, y Client/Server/Messaging Suite 3.5 y 3.6 crea una sesión de modo aleatorio basada sólo en el tiempo de acceso, lo cual hace más fácil para atacantes remotos secuestrar sesión a través de ataques de fuerza bruta. NOTA: esto puede ser aprovechado para la ejecución de código a través de una indeterminada "manipulación de la configuración".
Secunia Research has discovered a vulnerability in certain Trend Micro products, which can be exploited by malicious people to bypass authentication. The vulnerability is caused by insufficient entropy being used to create a random session token for identifying an authenticated manager using the web management console. The entropy in the session token comes solely from the system time when the real manager logs in with a granularity of one second. This can be exploited to impersonate a currently logged on manager by brute forcing the authentication token. Successful exploitation further allows execution of arbitrary code via manipulation of the configuration.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2008-05-27 CVE Reserved
- 2008-08-22 CVE Published
- 2024-08-07 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-330: Use of Insufficiently Random Values
CAPEC
References (10)
| URL | Tag | Source |
|---|---|---|
| http://securityreason.com/securityalert/4191 | Broken Link | |
| http://www.securityfocus.com/archive/1/495670/100/0/threaded | Broken Link | |
| http://www.securityfocus.com/bid/30792 | Broken Link | |
| http://www.securitytracker.com/id?1020732 | Broken Link | |
| http://www.vupen.com/english/advisories/2008/2421 | Broken Link | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/44597 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://secunia.com/advisories/31373 | 2024-02-14 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Trendmicro Search vendor "Trendmicro" | Client Server Messaging Suite Search vendor "Trendmicro" for product "Client Server Messaging Suite" | 3.5 Search vendor "Trendmicro" for product "Client Server Messaging Suite" and version "3.5" | - |
Affected
| ||||||
| Trendmicro Search vendor "Trendmicro" | Client Server Messaging Suite Search vendor "Trendmicro" for product "Client Server Messaging Suite" | 3.6 Search vendor "Trendmicro" for product "Client Server Messaging Suite" and version "3.6" | - |
Affected
| ||||||
| Trendmicro Search vendor "Trendmicro" | Officescan Search vendor "Trendmicro" for product "Officescan" | >= 7.0 <= 8.0 Search vendor "Trendmicro" for product "Officescan" and version " >= 7.0 <= 8.0" | - |
Affected
| ||||||
| Trendmicro Search vendor "Trendmicro" | Worry-free Business Security Search vendor "Trendmicro" for product "Worry-free Business Security" | 5.0 Search vendor "Trendmicro" for product "Worry-free Business Security" and version "5.0" | - |
Affected
| ||||||