Trend Micro fixed a series of vulnerabilities in its Email Encryption Gateway.
The Trend Micro Encryption for Email Gateway (TMEEG) is a Linux-based software solution/virtual appliance.
It is able to perform the encryption and decryption of email at the corporate gateway, regardless of the email client and the platform from which it originated.
“The encryption and decryption of email on the TMEEG client is controlled by a Policy Manager that enables an administrator to configure policies based on various parameters, such as sender and recipient email addresses, keywords, or PCI compliance,” the company said.
The vulnerabilities ended up discovered and disclosed to the company this past June by Leandro Barragan and Maximiliano Vidal (Core Security Consulting Services). Security researcher Vahagn Vardanyan has also been given credit for the discovery.
The flaws affect version 5.5 Build 1111 and below of the product.
The list includes twelve vulnerabilities with separate CVE numbers, and their severity ranges from low to critical:
1. CVE-2018-6219: Insecure Update via HTTP (CVSS 7.5)
2. CVE-2018-6220: Arbitrary file write leading to command execution (CVSS 7.5)
3. CVE-2018-6221: Unvalidated Software Updates (CVSS 7.5)
4. CVE-2018-6222: Arbitrary logs locations leading to command execution (CVSS 7.2)
5. CVE-2018-6223: Missing authentication for appliance registration (CVSS 9.1)
6. CVE-2018-6225: XML external entity injection in a configuration script (CVSS 5.5)
7. CVE-2018-6226: Reflected cross-site scripting in two configuration scripts (CVSS 7.4)
8. CVE-2018-6227: Stored cross-site scripting in a policy script (CVSS 7.4)
9. CVE-2018-6228: SQL injection in a policy script (CVSS 4.9)
10. CVE-2018-6229: SQL injection in an edit policy script (CVSS 6.5)
11. CVE-2018-6224: Lack of cross-site request forgery protection (CVSS 6.8)
12. CVE-2018-6230: SQL injection in a search configuration script (CVSS 3.8)
Trend Micro released a security update (version 5.5 Build 1129) to plug ten of these holes, but CVE-2018-6224 and CVE-2018-6230 are still unpatched.
“Due to the difficulties of implementing and the negative impact on critical normal product function of the proposed resolutions, as well as the pending End-of-Life of the Email Encryption Gateway product [in the coming weeks], Trend Micro decided that these will not be addressed in the current iteration of the product,” the company said in a post.
But there are mitigating factors that should prevent those flaws from being exploited: CVE-2018-6224 has to be chained to with at least 3 other (now patched) vulnerabilities to remote command execution, and CVE-2018-6224 and CVS-2018-6230 can be exploited only if the TMEEG web console is accessible via the Internet (which, by design, is not).