CVE-2019-18187
Published: 28 October 2019
Summary
CVE-2019-18187 is a high-severity Path Traversal (CWE-22) vulnerability in Trendmicro Officescan. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Trend Micro OfficeScan versions 11.0 and XG (12.0) contain a directory traversal vulnerability tracked as CVE-2019-18187 and CWE-22. An attacker can supply an arbitrary zip file whose contents are extracted to a designated folder on the OfficeScan server, an action that may be leveraged for remote code execution. Execution occurs under the privileges of the web-service account, which may be limited depending on the underlying web platform, and the attack requires prior user authentication.
Because the flaw permits an authenticated remote attacker to place files on the server, successful exploitation can result in code execution that affects confidentiality while leaving integrity and availability untouched, consistent with the reported CVSS 7.5 vector.
Trend Micro advisory 000151730 describes the issue and supplies remediation guidance; the vulnerability is also listed in the CISA Known Exploited Vulnerabilities Catalog, indicating confirmed in-the-wild exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-7990
Vulnerability details
Trend Micro OfficeScan versions 11.0 and XG (12.0) could be exploited by an attacker utilizing a directory traversal vulnerability to extract files from an arbitrary zip file to a specific folder on the OfficeScan server, which could potentially lead to…
more
remote code execution (RCE). The remote process execution is bound to a web service account, which depending on the web platform used may have restricted permissions. An attempted attack requires user authentication.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation of file paths and zip-extraction inputs to block the directory traversal (CWE-22) that allows arbitrary file writes.
Requires timely application of the vendor patch that eliminates the flawed zip-extraction logic in OfficeScan.
Limits privileges of the web-service account under which extracted code would execute, reducing the impact of successful RCE.