Release Date: August 19, 2020
CVE Identifier(s): CVE-2020-8602, CVE-2020-15601
Platform(s): Windows
CVSS 3.1 Score(s): 7.2 and 8.1
Severity Rating(s): HighTrend Micro has released new patches for Trend Micro Deep Security Manager and Trend Micro Vulnerability Protection. These patches resolve two security issues which, in certain circumstances, could impact the confidentiality, integrity and availability of the management console.
PRODUCT AFFECTED VERSION(S) PLATFORM LANGUAGE(S) Deep Security Manager* Version 12.0 Windows English Version 11.0 Windows English Version 10.0 Windows English Vulnerability Protection Version 2.0 SP2 Windows English
対応済みバージョン
PRODUCT UPDATED VERSION Update Date PLATFORM AVAILABILITY Deep Security Manager Version 12.0 U11 August 19, 2020 Windows Now Available Version 11.0 U22 July 15, 2020 Windows Now Available Version 10.0 U27 August 7, 2020 Windows Now Available Vulnerability Protection Version 2.0 SP2 Patch7 CP5 August 12, 2020 Windows Now Available
Deep Security Managerに完全性検証に脆弱性と、多要素認証使用中にLDAP認証がバイパスされる脆弱性(SAMLは影響なしか)が存在とのこと。
Vulnerability Details
CVE-2020-8602: Deep Security Manager and Vulnerability Protection Integrity Verification Bypass
CVSSv3.1: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
A vulnerability in the affected products' management console may allow an authenticated attacker with full control privileges to bypass file integrity checks, leading to remote code execution.CVE-2020-15601: Deep Security Manager and Vulnerability Protection LDAP Authentication Bypass
CVSSv3.1: 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
If LDAP authentication is enabled, an unauthenticated attacker with prior knowledge of the targeted organization may be able to bypass manager authentication.
Enabling multi-factor authentication prevents this attack.
Installations using manager native authentication or SAML authentication are not impacted by this vulnerability.
体系的に学ぶ 安全なWebアプリケーションの作り方 第2版 脆弱性が生まれる原理と対策の実践
- 作者:徳丸 浩
- 発売日: 2018/06/21
- メディア: 単行本