HighBlackICE Server Protection, BlackICE PC Protection, RealSecure Network, RealSecure Server Sensor, Proventia Network MFS, IBM Security Server Protection for Windows, Proventia-G 1.1 and earlier, Proventia Desktop, Proventia Network IDS, RealSecure Desktop, Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:
This signature detects an attempt to perform certain privileged functions without prior authentication.
This signature detects an attempt to perform file I/O operations on systems using a vulnerable version of TrendMicro ServerProtect.
RealSecure Network, RealSecure Server Sensor, Proventia Network MFS, IBM Security Server Protection for Windows, Proventia-G 1.1 and earlier, Proventia Desktop, Proventia Network IDS, Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware: Vulnerable versions of TrendMicro ServerProtect have a feature that allows an arbitrary remote unauthenticated user to read or write files on a system with the software installed. This signature detects such remote file operations. However, the remote file-writing ability is legitimately used to update the anti-virus product so blocking such traffic would disable ServerProtect from its normal operation as intended by the program creators. In non-vulnerable versions, the program ensures that updates originate from trusted addresses.
High
BlackICE Server Protection: 3.6.cqb, BlackICE PC Protection: 3.6cqb, RealSecure Network: XPU 24.56, RealSecure Server Sensor: XPU 24.56, Proventia Network MFS: XPU 1.95, IBM Security Server Protection for Windows: 1.0.914.1960, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia-G 1.1 and earlier: XPU 24.56, Proventia Desktop: 1960, Proventia Network IDS: XPU 24.56, RealSecure Desktop: eqb, Proventia Network IPS: XPU 1.95, Proventia Server IPS for Linux technology: 1.95, Virtual Server Protection for Vmware: 1.0
Trend Micro ServerProtect: 5.58, Trend Micro ServerProtect: 5.7
Unauthorized Access Attempt
Trend Micro ServerProtect could allow a remote attacker to gain unauthorized administrative access to the RPC interface. A remote attacker could bypass authentication and gain administrative access, allowing the attacker to execute code with SYSTEM privileges.
For Trend Micro ServerProtect for Windows 5.58:
Apply the patch for this vulnerability (Patch 7, build 1216), available from the Trend Micro Web site. See References.
IBM Internet Security Systems Protection Advisory November 11, 2008
Trend Micro ServerProtect Unauthenticated Remote Administration
http://www.iss.net/threats/307.html
Trend Micro Web site
Trend Micro ServerProtect for Windows 5.58 Patch 7, build 1216
http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_patch7_readme.txt
Trend Micro Web site
Trend Micro Update Center
http://www.trendmicro.com/download/
ISS X-Force
Trend Micro ServerProtect unauthorized administrative access
http://www.iss.net/security_center/static/31112.php
CVE
CVE-2006-5268
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5268