CVE-2017-6339 : Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 before CP 1746 mismanages certain key and certificate d

Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 before CP 1746 mismanages certain key and certificate data. Per IWSVA documentation, by default, IWSVA acts as a private Certificate Authority (CA) and dynamically generates digital certificates that are sent to client browsers to complete a secure passage for HTTPS connections. It also allows administrators to upload their own certificates signed by a root CA. An attacker with low privileges can download the current CA certificate and Private Key (either the default ones or ones uploaded by administrators) and use those to decrypt HTTPS traffic, thus compromising confidentiality. Also, the default Private Key on this appliance is encrypted with a very weak passphrase. If an appliance uses the default Certificate and Private Key provided by Trend Micro, an attacker can simply download these and decrypt the Private Key using the default/weak passphrase.

Published 2017-04-05 16:59:00

Updated 2019-10-03 00:03:26

Source MITRE

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2017-6339

Probability of exploitation activity in the next 30 days: 0.31%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 66 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2017-6339

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.0	MEDIUM	AV:N/AC:L/Au:S/C:P/I:N/A:N	8.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
6.5	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N	2.8	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2017-6339

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Assigned by: nvd@nist.gov (Primary)
CWE-521 Weak Password Requirements

The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2017-6339

http://www.securityfocus.com/bid/97492

Trend Micro InterScan Web Security Virtual Appliance CVE-2017-6339 Security Bypass Vulnerability
Third Party Advisory;VDB Entry
https://www.qualys.com/2017/01/12/qsa-2017-01-12/qsa-2017-01-12.pdf

Exploit;Technical Description;Third Party Advisory

CVEs referencing this url
https://success.trendmicro.com/solution/1116960

Multiple Vulnerabilities - InterScan Web Security Virtual Appliance 6.5
Patch;Vendor Advisory

CVEs referencing this url

Products affected by CVE-2017-6339

Trendmicro » Interscan Web Security Virtual Appliance
Versions up to, including, (<=) 6.5
cpe:2.3:a:trendmicro:interscan_web_security_virtual_appliance:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2017-6339

Exploit prediction scoring system (EPSS) score for CVE-2017-6339

CVSS scores for CVE-2017-6339

CWE ids for CVE-2017-6339

References for CVE-2017-6339

Products affected by CVE-2017-6339