Trend Micro Warns Of Server Antivirus Flaws

Printer-friendly version Email this CRN article

Trend Micro has patched a pair of remote code execution vulnerabilities in ServerProtect, its server-based antivirus software, that could open the door for attackers to gain control over affected machines.

Both are stack-based buffer overflow bugs affecting ServerProtect For Windows version 5.58, Trend Micro said in a Tuesday advisory.

The first flaw stems from the failure of the "TmRpcSrv.dll" library to check user input before copying it to memory, Symantec said in a Deepsight Threat Management System advisory.

The bug affects the "EarthAgent.exe" daemon on TCP port 3628, and an attacker could exploit it by sending malicious code to a server with ServerProtect installed, according to Symantec.

The second vulnerability exists in the "AgRpcCln.dll" library and can be used to trigger a malicious RPC request to the "SpntSvc.exe" service, which is on TCP port 5168, Symantec said.

Security researcher Eric Detoisien discovered the flaws and reported them to Trend Micro via TippingPoint's Zero Day Initiative, a program that pays cash rewards to researchers for exploits.

Symantec rated the severity of both vulnerabilities as 10 out of 10. But Danish security research firm Secunia saw the threat as less serious, giving the two bugs a rating of "moderately critical," or 3 out of 5.

In February, Trend Micro patched four remote stack-based overflow flaws affecting ServerProtect for Windows 5.58, as well as ServerProtect for EMC 5.58, ServerProtect for Network Appliance Filer 5.61 and ServerProtect for Network Appliance Filer 5.62.

Printer-friendly version Email this CRN article