Trend Micro has patches available to fix up vulnerabilities in its platform for centralized security management which is susceptible to SQL injection attacks.
Versions 5.5 and 6.0 of the Trend Micro Control Manager are vulnerable, according to a report on U.S. CERT.
The vulnerability in question concerns a blind SQL injection attack which means the web frontend does not divulge any information from the database.
According to a report by security consulting firm Spentera which includes a proof-of-concept, the vulnerable system can leak information like password hashes by analyzing the timing of SQL queries. A remote attacker can extract sensitive data such as password through blind SQL injection.
The application does not properly filter user-supplied input, according to a report on Spentera. The successful exploitation of this vulnerability could potentially result in arbitrary SQL command input to the back-end database, such as execute SQL command to upload and execute arbitrary code against the target system.
The vulnerable parameter is ‘id’ parameter in the GET request for AdHocQuery_Processor.aspx page, the Spentera report said. According to Trend Micro Control Manager help page, an Ad Hoc Query is a direct request to the Control Manager database for information. The query uses data views to narrow the request and improve performance. After specifying the data view, users can further narrow their search by specifying filtering criteria for the request.