Bird_banner_small4
Trend Micro Mobile Security Enterprise eas_agent_sync_client_info slink_id SQL Injection
TSL ID TSL20170915-04
CVE ID(s) CVE-2017-14078
Severity Critical
Description

An SQL injection vulnerability exists in Trend Micro Mobile Security Enterprise. The vulnerability is due to insufficient validation of the slink_id request parameter with eas_agent_sync_client_info action.

A remote unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation of this vulnerability can lead to remote code execution in the context of SYSTEM.

The vendor, Trend Micro, has released the following advisory regarding these vulnerabilities:

https://success.trendmicro.com/solution/1118224

Affected Products
  • Trend Micro Mobile Security (Enterprise) prior to 9.7 Patch 3 (b2406)
CVSS Score Base 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C):
  • Access vector is NETWORK
  • Access complexity is LOW
  • Level of authentication required is NONE
  • Impact of this vulnerability on data confidentiality is COMPLETE
  • Impact of this vulnerability on data integrity is COMPLETE
  • Impact of this vulnerability on data availability is COMPLETE
Temporal 7.4 (E:U/RL:OF/RC:C):
  • The exploitability level of this vulnerability is UNPROVEN
  • The remediation level of this vulnerability is OFFICIAL FIX
  • The report confidence level of this vulnerability is CONFIRMED
Identifiers
ZDI
References https://success.trendmicro.com/solution/1118224
Related Threats