__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Trend Micro ServerProtect Agent Vulnerabilities [Trend Micro Security Patch 4] August 24, 2007 18:00 GMT Number R-329 ______________________________________________________________________________ PROBLEM: Trend Micro ServerProtect Agent has several vulnerabilities: 1) service RPC stack-buffer overflow; 2) RPC buffer overflow; and 3) Integer Overflow. PLATFORM: Trend Micro ServerProtect DAMAGE: May allow a remote, unauthenticated attacker to execute arbitrary code. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. May allow a remote, unauthenticated ASSESSMENT: attacker to execute arbitrary code. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/r-329.shtml ORIGINAL BULLETIN: http://www.trendmicro.com/ftp/documentation/readme/spnt_ 558_win_en_securitypatch4_readme.txt ADDITIONAL LINKS: US-CERT Vulnerability Notes VU#204448, VU#109056, VU#959400 http://www.kb.cert.org/vuls/id/204448 http://www.kb.cert.org/vuls/id/109056 http://www.kb.cert.org/vuls/id/959400 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2007-4218 CVE-2007-4219` ______________________________________________________________________________ [***** Start Trend Micro Security Patch 4 *****] <<<>>> Trend Micro, Inc. July 27, 2007 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ServerProtect(TM) 5.58 for Windows(TM) NT/2000/2003 Security Patch 4 - Build 1185 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contents =================================================================== 1. Overview of this Security Patch Release 1.1 Files Included in this Release 2. What's New 3. Documentation Set 4. System Requirements 5. Installation 6. Post-installation Configuration 7. Known Issues 8. Release History 9. Contact Information 10. About Trend Micro 11. License Agreement =================================================================== 1. Overview of this Security Patch Release ======================================================================== This security patch addresses buffer overflow vulnerabilities in ServerProtect modules "EarthAgent.exe", "eng50.dll", "StRpcSrv.dll", and "StCommon.dll". 1.1 Files Included in This Release ===================================================================== Module File Name Build No. NT Server admin.exe 5.58 build 1185 adm_enu.dll 5.58 build 1185 AgentClient.dll 5.58 build 1185 AgRpcCln.dll 5.58 build 1185 cert5.db ciussi32.dll 2.0 build 1026 EarthAgent.exe 5.58 build 1185 Eng50.dll 5.58 build 1185 EventMsg2.dll 5.58 build 1185 Logdb.dll 5.58 build 1185 LogDbTool.dll 5.58 build 1185 LogViewer.exe 5.58 build 1185 LogMaster.dll 5.58 build 1185 Notification.dll 5.58 build 1185 Patch.exe 2.80 build 2014 patchbld.dll 5.1.0.0 Patchw32.dll 5.1.0.0 ScanNow.exe 5.58 build 1185 SpntSvc.exe 5.58 build 1185 Spuninst.exe 5.58 build 1185 StCommon.dll 5.58 build 1185 StHotfix.exe 5.58 build 1185 Stopp.exe 5.58 build 1185 StRpcCln.dll 5.58 build 1185 StRpcSrv.dll 5.58 build 1185 StUpdate.exe 5.58 build 1185 TmEng.dll 6.80 build 1034 Tmnotify.dll 1.0 build 1185 Tmopp.dll 5.58 build 1063 TmRpcSrv.dll 5.58 build 1185 Tmupdate.dll 2.80 build 2014 SP5NSLST.ini TSC.ini x500.db hotfix.ini tmsp.mib NetWare Server lprotect.nlm 5.58 build 1185 pscan.nlm 5.58 build 1185 CM Agent Files EN_Utility.dll 1.0 build 1355 Entitymain.exe 1.0 build 1367 LibEN_CM.dll 1.0 build 1364 libEN_Logger.dll 1.0 build 1367 libEN_Product.dll 2.52 build 1053 xerces-c_1_7_0.dll 1.7 2. What's New ======================================================================== This security patch addresses buffer overflow issues for the following RPC function calls: - RPC call to function RPCFN_CMON_SetSvcImpersonateUser (in module stcommon.dll) - RPC call to function RPCFN_OldCMON_SetSvcImpersonateUser (in module stcommon.dll) - RPC call to function RPCFN_EVENTBACK_DoHotFix (in module earthagent.exe) - RPC call to function CMD_CHANGE_AGENT_REGISTER_INFO (in module earthagent.exe) - RPC call to function RPCFN_ENG_TakeActionOnAFile (in module eng50.dll) - RPC call to function RPCFN_ENG_AddTaskExportLogItem (in module eng50.dll) - RPC call to function RPCFN_ENG_TimedNewManualScan (in module StRpcSrv.dll) - RPC call to function RPCFN_SYNC_TASK (in module StRpcSrv.dll) - RPC call to function RPCFN_SetComputerName (in module StRpcSrv.dll) - RPC call to function RPCFN_ENG_NewManualScan (in module StRpcSrv.dll) - RPC call to function NTF_SetPagerNotifyConfig (in module Notification.dll) 3. Documentation Set ======================================================================== o Readme.txt -- basic installation, known issues Electronic versions of the printed manuals are available at: http://www.trendmicro.com/download 4. System Requirements ======================================================================== No special requirements for installing this security patch. 5. Installation ======================================================================== To install this security patch: 1. Copy the file "spnt_558_win_en_securitypatch4.exe" to a temporary folder on the ServerProtect Information Server. 2. Ensure that the ServerProtect Management console is not open. 3. Open "spnt_558_win_en_securitypatch4.exe" and follow the instructions to install the patch. The Information Server will deploy the patch to NT Normal Servers 30 seconds after the installation is complete, and then it will restart the ServerProtect services. Note: If the installation does not complete successfully, review the file "TMPatch.log" in the system root folder before contacting technical support. To roll back to the previous build: 1. Before you can roll back, run the following shell commands to stop all ServerProtect services: net stop spntsvc net stop earthagent net stop "TrendMicro Infrastructure" 2. You can find the backup files with the file extension "bak" in the the ServerProtect home directory. To roll back, just rename the backup files and use them to replace the current files. 3. After the rollback, run the following commands to start the ServerProtect services: net start spntsvc net start earthagent net start "TrendMicro Infrastructure" 6. Post-installation Configuration ======================================================================== No post-installation configuration needed for this patch. Note: Trend Micro recommends that you update your scan engine and virus pattern files immediately after installing this patch. 7. Known Issues ======================================================================== This release has the following known issues: 7.1 You must close the Management Console before applying this patch. Otherwise, the patch installation will not be successful. 7.2 You cannot install the ServerProtect Normal Server and an OfficeScan(TM) client on the same computer. 7.3 After this patch is applied, the pattern update progress bar may not accurately reflect the actual progress. 8. Release History ======================================================================== See the following Web site for more information about updates to this product: http://www.trendmicro.com/download 9. Contact Information ======================================================================== A license to the Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, Maintenance must be renewed on an annual basis at Trend Micro's then-current Maintenance fees. You can contact Trend Micro via fax, phone, and email, or visit us at: http://www.trendmicro.com Evaluation copies of Trend Micro products can be downloaded from our Web site. Global Mailing Address/Telephone numbers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For global contact information in the Asia/Pacific region, Australia and New Zealand, Europe, Latin America, and Canada, refer to: http://www.trendmicro.com/en/about/overview.htm The Trend Micro "About Us" screen displays. Click the appropriate link in the "Contact Us" section of the screen. Note: This information is subject to change without notice. 10. About Trend Micro ======================================================================== Trend Micro, Inc. provides virus protection, anti-spam, and content-filtering security products and services. Trend Micro allows companies worldwide to stop viruses and other malicious code from a central point before they can reach the desktop. Copyright 2007, Trend Micro Incorporated. All rights reserved. Trend Micro, the t-ball logo, ServerProtect, and OfficeScan are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 11. License Agreement ======================================================================== Information about your license agreement with Trend Micro can be viewed at: http://www.trendmicro.com/en/purchase/license/ Third-party licensing agreements can be viewed: - By selecting the "About" option in the application user interface - By referring to the "Legal" page of the Getting Started Guide or Administrator's Guide [***** End Trend Micro Security Patch 4 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Trend Micro for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) R-319: Cumulative Security Update for Internet Explorer R-320: Vulnerability in GDI R-321: Vulnerabilities in Windows Media Player R-322: Vulnerabilities in Windows Gadgets R-323: Vulnerability in Virtual PC and Virtual Server R-324: Vulnerability in Vector Markup Language R-325: Information Leakage Using IPv6 Routing Header R-326: tcpdump R-327: Cisco IOS Secure Copy Authorization Bypass Vulnerability R-328: Local Privilege Vulnerabilities in Cisco VPN Client