CVE-2008-2433
First published: Wed Aug 27 2008(Updated: )
The web management console in Trend Micro OfficeScan 7.0 through 8.0, Worry-Free Business Security 5.0, and Client/Server/Messaging Suite 3.5 and 3.6 creates a random session token based only on the login time, which makes it easier for remote attackers to hijack sessions via brute-force attacks. NOTE: this can be leveraged for code execution through an unspecified "manipulation of the configuration."
Credit: PSIRT-CNA@flexerasoftware.com PSIRT-CNA@flexerasoftware.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Trend Micro Client-Server Messaging Suite SMB | =3.5 | |
| Trend Micro Client-Server Messaging Suite SMB | =3.6 | |
| Trend Micro OfficeScan | >=7.0<=8.0 | |
| Trend Micro Worry-Free Business Security | =5.0 | |
| Trend Micro Client Server Messaging Security | =3.5 | |
| Trend Micro Client Server Messaging Security | =3.6 | |
| Trend Micro OfficeScan XG | =7.0 | |
| Trend Micro OfficeScan XG | =7.3 | |
| Trend Micro OfficeScan XG | =8.0 | |
| Trend Micro Worry-Free Business Security | =5.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://secunia.com/advisories/31373
- http://secunia.com/secunia_research/2008-31/advisory/
- http://securityreason.com/securityalert/4191
- http://www.securityfocus.com/archive/1/495670/100/0/threaded
- http://www.securityfocus.com/bid/30792
- http://www.securitytracker.com/id?1020732
- http://www.trendmicro.com/ftp/documentation/readme/OSCE_8.0_SP1_Win_EN_CriticalPatch_B2402_readme.txt
- http://www.trendmicro.com/ftp/documentation/readme/Readme_WFBS5%200_EN_CriticalPatch1404.txt
- http://www.vupen.com/english/advisories/2008/2421
- https://exchange.xforce.ibmcloud.com/vulnerabilities/44597
Frequently Asked Questions
What is the severity of CVE-2008-2433?
CVE-2008-2433 is classified as a high-severity vulnerability that can allow remote session hijacking.
How do I fix CVE-2008-2433?
To fix CVE-2008-2433, update to the latest version of the affected Trend Micro products that address this vulnerability.
Which versions of Trend Micro are affected by CVE-2008-2433?
CVE-2008-2433 affects Trend Micro OfficeScan versions 7.0 to 8.0, Worry-Free Business Security 5.0, and Client/Server/Messaging Suite versions 3.5 and 3.6.
What type of attack does CVE-2008-2433 enable?
CVE-2008-2433 enables remote attackers to perform brute-force attacks and hijack user sessions.
Is CVE-2008-2433 difficult to exploit?
CVE-2008-2433 can be exploited with relative ease due to the predictable nature of the session token generation.
- agent/references
- agent/type
- agent/remedy
- agent/weakness
- agent/severity
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- collector/nvd-historical
- vendor/trendmicro
- canonical/trend micro client-server messaging suite smb
- version/trend micro client-server messaging suite smb/3.5
- version/trend micro client-server messaging suite smb/3.6
- canonical/trend micro officescan
- version/trend micro officescan/7.0
- version/trend micro officescan/8.0
- canonical/trend micro worry-free business security
- version/trend micro worry-free business security/5.0
- vendor/trend micro
- canonical/trend micro client server messaging security
- version/trend micro client server messaging security/3.5
- version/trend micro client server messaging security/3.6
- canonical/trend micro officescan xg
- version/trend micro officescan xg/7.0
- version/trend micro officescan xg/7.3
- version/trend micro officescan xg/8.0