By Carsten Eiram
IBM ISS X-Force recently reported multiple vulnerabilities in Trend Micro ServerProtect. As Trend Micro claims to have fixed the vulnerabilities, which X-Force disagrees with, X-Force issued a blog as well to clarify some issues.
The actions of IBM ISS X-Force (publishing advisories in a competitor's product and afterwards criticising that competitor for how things were handled) has received a lot of attention and also some public criticism by various people.
I can see how some people may think that finding vulnerabilities in a competitor's products may be problematic. However, it really comes down to the way it is handled; as long as the vulnerabilities are reported to the competitor and the competitor is given ample time to fix the vulnerabilities before disclosing any information publicly, then I fail to see the problem. In this case, IBM ISS X-Force ultimately did Trend Micro a favour by reporting some problems in ServerProtect to them and thus give Trend Micro an opportunity to improve the quality of their product.
Unfortunately, based on the information provided by IBM ISS X-Force, communication seemed to eventually break down after a point was reached where IBM ISS X-Force had dismissed four incomplete fixes and Trend Micro on the other hand found the vulnerabilities to be fixed in a satisfactory manner. As a researcher you eventually have to throw in the towel and is left with only one option when communication reaches a stand-still or completely breaks down: Publish your advisory.
In this case, publishing the advisories was in my opinion the only course of action left and completely justified. According to the information about the whole process published by IBM ISS X-Force, they provided Trend Micro with sufficient time and information in order for the vulnerabilities to be properly fixed.
Whenever you have to resort to this final option, though, you owe to users out there to clarify the reasons for your actions. This is also why I find the blog issued by IBM ISS X-Force valid. I've been reading this blog through multiple times and still can't see where people believe that the line was crossed. Naturally, it is necessary to describe the whole process and where things went wrong and I think this has been done in a fairly to-the-point and factual manner. It's only spiced slightly with a bit of feelings, which is understandable since it's quite frustrating as a researcher to feel you're slamming your head against the wall (for whatever reason) when dealing with a vendor that you're actually doing a favour.
Personally, I believe X-Force did the right thing by both issuing the advisories and publishing a blog to clarify their actions. I do, however, disagree with their actions on one account: I believe that IBM ISS X-Force should have provided the usual amount of detail to make the threat more clear to organisations using ServerProtect instead of only issuing very vague information. This really only does a disservice to users as it becomes difficult to properly evaluate the threat where other researchers (good and bad) still will be able to find the problems and gain detailed information.
When these vulnerabilities were brought to our attention, the Secunia Research team immediately started analysing ServerProtect in order to properly understand the problem, determine if the claims made by IBM ISS X-Force were valid, and prepare a Binary Analysis for our customers on the Secunia Binary Analysis Service. It only took us about an hour to locate the first vulnerability…
Having thoroughly analysed one of the affected RPC interfaces of ServerProtect, Secunia Research can confirm that:
a) The vulnerabilities were not fixed in the patches provided by Trend Micro.
b) The implemented authentication mechanism is indeed flawed and insufficient as expressed by IBM ISS X-Force.
c) ServerProtect currently has a large number of vulnerabilities and should as such be considered insecure.
At Secunia we strongly recommend any customers running ServerProtect to properly restrict any RPC traffic to servers where the software is installed. Hopefully, Trend Micro will properly address these vulnerabilities in the near future.