In Trend Micro products prior to version 6.0.9, a local attacker could inject an invalid character into an HTTP header when parsing a request. As a result, the server would respond with an error message and the connection would be terminated. In Trend Micro products after version 6.0.9, an attacker could perform a SQL injection to inject invalid data into an SQL query. Such an invalid query may cause an error message to be displayed on the target system, leading to a denial-of-service condition. An attacker would have to perform either of these actions from the same network as the target system in order to exploit this vulnerability. Trend Micro recommends monitoring access to its products to ensure that only trusted parties have access to these systems. Trend Micro users are encouraged to upgrade to the latest version of the product.
Trend Micro Vulnerability Disclosure Program
Trend Micro has developed a Vulnerability Disclosure Program, which is designed to encourage the responsible disclosure of vulnerabilities in Trend Micro products. If you find a vulnerability in any of our products, please email your report to trendmicro-vuln-disclosure@trendmicro.com
The program requires that the person reporting the vulnerability discloses their name and contact information as well as an explanation of how to reproduce the issue. Please do not disclose confidential information via email.
If you are located outside of North America, direct mail is required for sending samples to Trend Micro Research and Development (R&D). You can send samples via courier, fax, or registered mail only. Sample request forms are available on our website: https://www.trendmicro.com/us/support/products/security-management/vulnerability-disclosure/.
Vulnerability Details
Trend Micro has issued updates to address this vulnerability in products prior to version 6.0.9. Trend Micro users are encouraged to upgrade to the latest version of the product, or install an update provided by Trend Micro or by the operating system vendor from which they install Trend Micro's software, as soon as possible.
The following security vulnerabilities were addressed in a later release of Trend Micro antivirus software:
CVE-2022-40140: An invalid character injection was found in HttpHeaderParser in Trend Micro products before Version 6.0.9, leading to incorrect HTTP response codes and connection termination when parsing a request (TippingPoint).
Vulnerability overview
A vulnerability was found in Trend Micro products prior to version 6.0.9 and 6.0.10 (when using the default configuration of Trend Micro Deep Security and Immunet) which could allow a remote, unauthenticated attacker to cause the server to crash. The vulnerability is caused by an invalid character injection into an HTTP header when parsing a request from the client side. This would cause a server error message which would terminate the connection and prevent the exploitation of this vulnerability.
Timeline
Published on: 09/19/2022 18:15:00 UTC
Last modified on: 09/21/2022 18:26:00 UTC