Attackers may be trying to exploit flaws in Trend
Micro's ServerProtect, Anti-Spyware and PC-cillin products to
hijack vulnerable machines, the SANS Internet Storm Center (ISC)
has warned.
ISC handler Kyle Haugsness wrote on the
Internet Storm
Center Web site that the organisation was seeing "heavy
scanning activity on TCP [port] 5168... probably for Trend Micro
ServerProtect. It does indeed look like machines are getting owned
with this vulnerability."
In a follow-up message, ISC handler William Salusky wrote that
while he was unable to confirm the destination target of the
suspicious scanners was in fact running a Trend Micro management
service, some of the packet data the ISC received did appear
suspect.
Antivirus company Symantec is taking the threat to Trend Micro
users seriously enough to
raise its ThreatCon to Level 2.
An email to customers of Symantec's DeepSight threat management
service read: "DeepSight TMS is observing a large spike over TCP
port 5168 associated with the Trend ServerProtect service, which
was recently found vulnerable to remote code execution flaws. It
appears that attackers are scanning for systems running the
vulnerable service. We have observed active exploitation of a Trend
Micro ServerProtect vulnerability affecting the ServerProtect
service on a DeepSight Honeypot."
In an email to SearchSecurity.com, Haugsness said the storm
center was observing the same trend. Tokyo-based Trend Micro
released a patch and hotfix to address the flaws.
Trend Micro ServerProtect, an antivirus application designed
specifically for servers, is prone to several security holes,
including an interger overflow flaw that is exploitable over RPC,
according to the
Trend Micro ServerProtect security advisory.
Specifically, the problem is in the SpntSvc.exe service that
listens on TCP port 5168 and is accessible through RPC.
Attackers could exploit this to run malicious code with
system-level privileges and "completely compromise" affected
computers. Failed exploit attempts will result in a denial of
service, Trend Micro said.
The problems affect ServerProtect 5.58 Build 1176 and possibly
earlier versions.
Meanwhile, Trend Micro Anti-Spyware and PC-cillin Internet
contain stack buffer-overflow flaws where the application fails to
properly bounds-check user-supplied data before copying it into an
insufficiently sized memory buffer, the vendor reported.
Trend Micro has released a hotfix to address that problem.
The issue affects the 'vstlib32.dll' library of Trend Micro's
SSAPI Engine. When the library processes a local file that has
overly-long path data, it fails to handle a subsequent
'ReadDirectoryChangesW' callback notification from Microsoft
Windows.
Attackers who exploit this could inflict the same type of damage
as exploits against the ServerProtect flaws. Trend Micro
Anti-Spyware for Consumers version 3.5 and PC-cillin Internet
Security 2007 are affected.