Cisco Talos security researchers reported vulnerabilities in Trend Micro Home Network Security devices. Attackers could exploit the bugs to achieve arbitrary authentication and elevate privileges.
The Home Network Security station is a monitoring and protection product that offers, among other features, vulnerability scanning, threat protection, intrusion prevention, and access control for devices. Trend Micro Home Network Security versions 6.6.604 and earlier are vulnerable to these attacks.
Researchers report three security holes: two stack buffer overflows with CVSS scores of 7.8 (CVE-2021-32457 and CVE-2021-32458) and one hardcoded password issue, with a CVSS score of 4.9 (CVE-2021-32459):
“TALOS-2021-1230 (CVE-2021-32457) and TALOS-2021-1231 (CVE-2021-32458) are elevation of privilege vulnerabilities that could allow an attacker to obtain elevate permissions on the targeted device. Another vulnerability, TALOS-2021-1241 (CVE-2021-32459), exists with a set of hardcoded credentials on the device an attacker could exploit to create files, change permissions on files, and upload arbitrary data to an SFTP server,” Cisco Talos described the three bugs.
The first two bugs are exploitable by causing ioctl stack-based buffer overflows. A threat actor could exploit by sending specially crafted ioctl requests. Both issues require that the attacker can execute low-privileged code on the device.
The hardcoded password vulnerability impacts the log collection server function of Trend Micro Home Network Security. An attacker can exploit this flaw by sending a specially crafted network request. Again, there’s a condition that an attacker has first to gain the ability to execute high-privileged code before exploiting the issue.
Trend Micro has seen no evidence that anyone exploited the bugs in the wild and not aware of “any actual attacks against the affected product related to this vulnerability at this time.”
Trend Micro has released firmware updates for the bugs. Users should receive them during automatic firmware updates.
