Trend Micro fixes serious vulnerabilities in Email Encryption Gateway

Trend Micro has plugged a bucketload of vulnerabilities in its Email Encryption Gateway, some of which can be combined to execute root commands from the perspective of a remote unauthenticated attacker.

Email Encryption Gateway vulnerabilities

The Trend Micro Encryption for Email Gateway (TMEEG) is a Linux-based software solution/virtual appliance that provides the ability to perform the encryption and decryption of email at the corporate gateway, regardless of the email client and the platform from which it originated.

“The encryption and decryption of email on the TMEEG client is controlled by a Policy Manager that enables an administrator to configure policies based on various parameters, such as sender and recipient email addresses, keywords, or PCI compliance,” the company explains.

About the vulnerabilities

The vulnerabilities have been discovered and privately disclosed to the company in June 2017 by Leandro Barragan and Maximiliano Vidal (Core Security Consulting Services). Security researcher Vahagn Vardanyan has also been given credit for the discovery.

The flaws affect version 5.5 Build 1111 and below of the product.

The list includes twelve vulnerabilities with separate CVE numbers, and their severity ranges from low to critical:

  • CVE-2018-6219: Insecure Update via HTTP (CVSS 7.5).
  • CVE-2018-6220: Arbitrary file write leading to command execution (CVSS 7.5).
  • CVE-2018-6221: Unvalidated Software Updates (CVSS 7.5).
  • CVE-2018-6222: Arbitrary logs locations leading to command execution (CVSS 7.2).
  • CVE-2018-6223: Missing authentication for appliance registration (CVSS 9.1).
  • CVE-2018-6225: XML external entity injection in a configuration script (CVSS 5.5).
  • CVE-2018-6226: Reflected cross-site scripting in two configuration scripts (CVSS 7.4).
  • CVE-2018-6227: Stored cross-site scripting in a policy script (CVSS 7.4).
  • CVE-2018-6228: SQL injection in a policy script (CVSS 4.9).
  • CVE-2018-6229: SQL injection in an edit policy script (CVSS 6.5)
  • CVE-2018-6224: Lack of cross-site request forgery protection (CVSS 6.8)
  • CVE-2018-6230: SQL injection in a search configuration script (CVSS 3.8).

What can you do?

Trend Micro has released a security update (version 5.5 Build 1129) to plug ten of these holes, but the last two on the list are still unpatched.

“Due to the difficulties of implementing and the negative impact on critical normal product function of the proposed resolutions, as well as the pending End-of-Life of the Email Encryption Gateway product [in the coming weeks], Trend Micro has decided that these will not be addressed in the current iteration of the product,” the company stated.

But there are mitigating factors that should prevent those flaws from being exploited: CVE-2018-6224 has to be chained to with at least 3 other (now patched) vulnerabilities to remote command execution, and both CVE-2018-6224 and CVS-2018-6230 can be exploited only if the TMEEG web console is accessible via the Internet (which, by design, is not).

So, the company advises admins to implement the offered update and to make sure that the web console is accessible only via the company intranet and only by users who need to be able to access it.

Core Security has published a separate security bulletin and has offered more technical details about the vulnerabilities, as well as Proof of Concept code for each.

Don't miss