- Apr 5, 2014
- 6,001
Trend Micro is one of the biggest names in cybersecurity, an $120 billion industry that promises to deflect a significant chunk of attacks hitting customers. But Trend and many of its peers are themselves creating software vulnerable to hacks, as proven by two researchers who've found and reported more than 200 flaws across the Japanese company's suite of products since July 29 last year.
Security researchers Roberto Suggi Liverani and Steven Seeley reported the first bug to Trend on July 29 2016 and have continued to find a mix of vulnerabilities, from the mundane to the shocking. In total they've uncovered 223 weaknesses across 11 TrendMicro products. A whopping 194 can be exploited remotely, and all are triggered without user interaction, making them significantly more serious.
One of the more serious issues lay in Trend Micro's data loss prevention tool. The pro hackers discovered that, via an unauthenticated remote code execution vulnerability, they could take control of the server running the software. They could then send out malicious updates to every single PC or other client connected to the server.
"It's a full compromise of the complete network once you own the node. It's pretty nasty, to say the least," added Seeley.
The attack would require an initial breach of the network. But they found another issue in InterScan, another Trend product that acts as the outfacing system that protects the network. "This can be targeted with an unauthenticated remote code exploit. Once you’re within the network from this point, you can pivot onto the DLP box."
As for the basic weaknesses, one was an unauthenticated stored cross-site scripting (XSS) flaw, where it was possible to execute malicious JavaScript code as an administrator of the affected technology. This is typically done by sending a link to a target and forcing them to run that code, though not required in this case as an attacker could wait until an administrator logged into the application and execute their code directly on the server.
In the case of the Trend weakness, once executed, the code would grant the attacker control of the targeted server, allowing a hacker to grab whatever data was inside or change what the service did. It's "the worst type" of XSS, one of the most common vulnerabilities on the web, said Seeley, who declined to name the affected technology as Trend is working on a fix. "It's just a matter of time [until] an admin will visit that particular admin page and fire our potentially malicious payload," warned Seeley.
Whilst Trend was quick to respond to the researchers' seemingly never-ending disclosures, many issues were "quite trivial" to find, leaving Seeley wondering why the company's own audits hand't picked up on many of them. And in one situation, even where they did issue a fix, they didn't patch adequately, he added. "Their patch completely failed and it was quite bad. I could have easily bypassed it."
Trend was keen to note that the vulnerabilities found by Suggi Liverani and Seeley were not in its well-known and widely-used endpoint or Deep Security products. Jon Clay, global director of threat communications, said the company "takes every vulnerability found within our products seriously regardless of whether it is multiple submissions or a single submission."
"We know there is a growing interest and level of activity in vulnerability research, and we are dedicated to rapidly addressing any issues that are uncovered by the research community."
Suggi Liverani and Seeley plan to showcase their exploits at the Hack In The Box conference in Amsterdam this April, by which time they may have found many more weaknesses.
A vulnerable security industry
Professor Alan Woodward, a digital security expert from the U.K.'s University of Surrey, said Trend was not alone; many in the industry likely have products with similar issues. "It’s obviously a concern when security products have this number of vulnerabilities. I can imagine Trend are going to be embarrassed but sadly I’m not sure one can single out Trend as being particularly poor at their testing," Woodward said.
"I think what it demonstrates is just how complex these system have become and as we all know complexity is the enemy of security."
In recent months, Google's Tavis Ormandy has been hunting bugs in anti-virus product, in the belief that sometimes security tools make companies more vulnerable, not less. His recent scalps have included Kaspersky and Symantec.
Security researchers Roberto Suggi Liverani and Steven Seeley reported the first bug to Trend on July 29 2016 and have continued to find a mix of vulnerabilities, from the mundane to the shocking. In total they've uncovered 223 weaknesses across 11 TrendMicro products. A whopping 194 can be exploited remotely, and all are triggered without user interaction, making them significantly more serious.
One of the more serious issues lay in Trend Micro's data loss prevention tool. The pro hackers discovered that, via an unauthenticated remote code execution vulnerability, they could take control of the server running the software. They could then send out malicious updates to every single PC or other client connected to the server.
"It's a full compromise of the complete network once you own the node. It's pretty nasty, to say the least," added Seeley.
The attack would require an initial breach of the network. But they found another issue in InterScan, another Trend product that acts as the outfacing system that protects the network. "This can be targeted with an unauthenticated remote code exploit. Once you’re within the network from this point, you can pivot onto the DLP box."
As for the basic weaknesses, one was an unauthenticated stored cross-site scripting (XSS) flaw, where it was possible to execute malicious JavaScript code as an administrator of the affected technology. This is typically done by sending a link to a target and forcing them to run that code, though not required in this case as an attacker could wait until an administrator logged into the application and execute their code directly on the server.
In the case of the Trend weakness, once executed, the code would grant the attacker control of the targeted server, allowing a hacker to grab whatever data was inside or change what the service did. It's "the worst type" of XSS, one of the most common vulnerabilities on the web, said Seeley, who declined to name the affected technology as Trend is working on a fix. "It's just a matter of time [until] an admin will visit that particular admin page and fire our potentially malicious payload," warned Seeley.
Whilst Trend was quick to respond to the researchers' seemingly never-ending disclosures, many issues were "quite trivial" to find, leaving Seeley wondering why the company's own audits hand't picked up on many of them. And in one situation, even where they did issue a fix, they didn't patch adequately, he added. "Their patch completely failed and it was quite bad. I could have easily bypassed it."
Trend was keen to note that the vulnerabilities found by Suggi Liverani and Seeley were not in its well-known and widely-used endpoint or Deep Security products. Jon Clay, global director of threat communications, said the company "takes every vulnerability found within our products seriously regardless of whether it is multiple submissions or a single submission."
"We know there is a growing interest and level of activity in vulnerability research, and we are dedicated to rapidly addressing any issues that are uncovered by the research community."
Suggi Liverani and Seeley plan to showcase their exploits at the Hack In The Box conference in Amsterdam this April, by which time they may have found many more weaknesses.
A vulnerable security industry
Professor Alan Woodward, a digital security expert from the U.K.'s University of Surrey, said Trend was not alone; many in the industry likely have products with similar issues. "It’s obviously a concern when security products have this number of vulnerabilities. I can imagine Trend are going to be embarrassed but sadly I’m not sure one can single out Trend as being particularly poor at their testing," Woodward said.
"I think what it demonstrates is just how complex these system have become and as we all know complexity is the enemy of security."
In recent months, Google's Tavis Ormandy has been hunting bugs in anti-virus product, in the belief that sometimes security tools make companies more vulnerable, not less. His recent scalps have included Kaspersky and Symantec.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
