CVE: CVE-2008-2433

Export to Word

The web management console in Trend Micro OfficeScan 7.0 through 8.0, Worry-Free Business Security 5.0, and Client/Server/Messaging Suite 3.5 and 3.6 creates a random session token based only on the login time, which makes it easier for remote attackers to hijack sessions via brute-force attacks. NOTE: this can be leveraged for code execution through an unspecified "manipulation of the configuration."

Threat-Mapped Scoring

Score: 1.8

Priority: P4 - Informational (Low)

S9 – Sabotage of System/App

EPSS

Score: 0.12313
Percentile: 0.93557

CVSS Scoring

CVSS v3.1 Score: 9.8

Severity: CRITICAL

Mapped CWE(s)

CWE-330 : Use of Insufficiently Random Values

All CAPEC(s)

CAPEC-112: Brute Force
CAPEC-485: Signature Spoofing by Key Recreation
CAPEC-59: Session Credential Falsification through Prediction

CAPEC(s) with Mapped TTPs

CAPEC-112: Brute Force
Mapped TTPs:
- T1110 : Brute Force
CAPEC-485: Signature Spoofing by Key Recreation
Mapped TTPs:
- T1552.004 : Private Keys

Mapped ATT&CK TTPs

T1110 : Brute Force
Kill Chain: credential-access
T1552.004 : Private Keys
Kill Chain: credential-access

Malware

APTs Threat Group Associations

Campaigns

Operation Wocao
SolarWinds Compromise
2016 Ukraine Electric Power Attack
Operation Dream Job

Affected Products

cpe:2.3:a:trendmicro:client_server_messaging_suite:3.5:*:*:*:*:*:*:*
cpe:2.3:a:trendmicro:client_server_messaging_suite:3.6:*:*:*:*:*:*:*
cpe:2.3:a:trendmicro:officescan:*:*:*:*:*:*:*:*
cpe:2.3:a:trendmicro:worry-free_business_security:5.0:*:*:*:*:*:*:*

← Back to Home