木曜日, 6月 03, 2010

TrendMicro社のData Loss Prevention製品のセキュリティ問題


本件セキュリティ問題について下記の製品に影響があります↓
Data Loss Prevention(DLP)製品(元はLeakProof製品)
バーション:DLP 5.2 and LeakProof <= 5.0
ベンダー:TrendMicro社
製品URL:
http://us.trendmicro.com/us/products/enterprise/data-loss-prevention/index.html

追加情報↓
Author: nitrØus [ Alejandro Hernandez H. ]
Discovery Date: 09/Sept/2009
Disclosure Date: 01/Jun/2010
Attack Vector: Local
Attack Channels: Some HTTP/HTTPS non-analyzed channels
Impact: Data Theft / Data Leakage / Data Loss
Risk: Medium

問題の説明と再現仕方↓
データの情報漏れバグがあり、プライバシー問題となります。

再現仕方は↓
下記のURLで再現仕方が詳しく書いてあります。
http://www.brainoverflow.org/advisories/TrendMicro_DLP_data_leakage.pdf

問題確認と報告履歴↓
DD/MM/YYYY
09/09/2009 The vulnerability was discovered.
20/02/2010 Trend Micro was informed about the vulnerability.
21/02/2010 Trend Micro assigned a Service Request Number #1
23/02/2010 Trend Micro asked to reproduce the vulnerability with certain
policies
and Web browsers as well as the details of the testing environment.
23/02/2010 Details sent, including screenshots.
25/02/2010 Trend Micro, asked again to retest LeakProof in certain
circumstances.
03/03/2010 Service Request #1 automatically closed due to inactivity
16/03/2010 Trend Micro assigned a Service Request Number #2
16/03/2010 Thread retaken and I explained to Trend Micro about the
technical
nature of the flaw.
18/03/2010 I got no response, so, I warned them about the soon public
disclosure
24/03/2010 Service Request #2 automatically closed due to inactivity
23/03/2010 Trend Micro assigned a Service Request Number #3
23/03/2010 Thread retaken and Trend Micro asked me to debug and log all the
endpoint activity
31/03/2010 Explained about the results and no answer received from Trend
Micro
06/04/2010 Service Request #3 automatically closed due to inactivity
21/05/2010 Retested the vulnerability against the latest version of Data
Loss
Prevention (5.2)
01/06/2010 Public Disclosure

リファレンスは下記となります↓

解決方法↓
現在パッチが未だ確認が出来てません。恐らく未だzeroday状態になりました。

---
株式会社ケイエルジェイテック
http://www.kljtech.com
セキュリティモニターセンター

0 件のコメント:

コメントを投稿