Bird_banner_small4
Trend Micro Control Manager cmdHandlerLicenseManager SQL Injection
TSL ID TSL20170801-08
CVE ID(s) CVE-2017-11384
Severity High
Description

An SQL injection vulnerability has been reported in Trend Micro Control Manager. The vulnerability is due to improper validation of the user-supplied input for cmdHandlerLicenseManager.dll.

A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation of this vulnerability, in conjunction with other vulnerabilities, could lead to code execution under the security context of the database.

The vendor, Trend Micro, has released the following advisory regarding the vulnerability:

https://success.trendmicro.com/solution/1117722

Affected Products
  • Trend Micro Control Manager 6.0 prior to SP3 Patch 3
CVSS Score Base 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P):
  • Access vector is NETWORK
  • Access complexity is LOW
  • Level of authentication required is NONE
  • Impact of this vulnerability on data confidentiality is PARTIAL
  • Impact of this vulnerability on data integrity is PARTIAL
  • Impact of this vulnerability on data availability is PARTIAL
Temporal 5.5 (E:U/RL:OF/RC:C):
  • The exploitability level of this vulnerability is UNPROVEN
  • The remediation level of this vulnerability is OFFICIAL FIX
  • The report confidence level of this vulnerability is CONFIRMED
Identifiers
ZDI
References https://success.trendmicro.com/solution/1117722
Related Threats