Trend Micro security teams notified their customers of an urgent update for their InterScan web security virtual appliance, released to fix various vulnerabilities that could compromise users’ systems.
Although the company took months to correct the flaws, the vulnerability completely mitigates the risk of exploitation. Trend Micro IWSVA is a web gateway that helps organizations protect their networks from online threat actors, as well as providing real-time visibility and control of Internet usage by members of the organization.
Wolfgang Ettlinger, an expert who reported the flaws to the company, identified six types of vulnerabilities in the IWSVA product, including an omission of protection against CSRF, XSS, authentication errors, command execution, and command injection, all considered highly severe. One of these attacks would allow threat actors to gain root access to affected systems remotely by simply deploying a CSRF condition.
Another of the attacks described will allow cybercriminals with access to the HTTP proxy port to exploit flaws in the authentication mechanism of the affected software to take full control of the device as root without requiring user or administrator interaction.
While there is no accurate indicator of the number of organizations using vulnerable software, experts also notified cybersecurity agencies in various countries about the risk as this is a product used by multiple government agencies.
While there is no accurate indicator of the number of organizations using vulnerable software, experts also notified cybersecurity agencies in various countries about the risk as this is a product used by multiple government agencies. The security report contains technical information to mitigate the risk of exploiting these flaws.
Trend Micro released a message acknowledging the incident: “We are aware of the vulnerabilities found in IWSVA and congratulate SEC Consult on disclosing them in a responsible manner and working closely with us to resolve the issues.” The company concluded by mentioning that a critical patch was released and asking customers to apply it as soon as possible.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.