Canary Labs Inc Trend Link Insecure ActiveX Control Method
Low RiskICS-CERT ICSA-13-098-01Jan 10, 2013
Summary
Canary Labs Inc Trend Link versions 9.0.2.27051 and earlier contain an insecure ActiveX control method (CWE-73) that could allow arbitrary code execution. The vulnerability is in the ActiveX control exposed by the application, which may execute attacker-controlled code in the browser context without proper validation.
What this means
What could happen
An attacker who can reach a machine running Trend Link could execute arbitrary code with the privileges of the web browser by exploiting an insecure ActiveX control, potentially compromising engineering workstations or data access systems used in water or utility operations.
Who's at risk
Engineering and operations staff at water utilities and electric utilities who use Canary Labs Trend Link software, particularly those accessing the application via web browsers or running it on engineering workstations connected to the plant network.
How it could be exploited
An attacker crafts a malicious web page or email containing code that exploits the insecure ActiveX control in Trend Link. When a user with the affected version views the page or clicks a link in their browser, the malicious code executes in the browser context. This could allow the attacker to run arbitrary commands on the workstation if the ActiveX control is instantiated.
Prerequisites
- User must visit a malicious web page or open a specially crafted email in a browser on a workstation with Trend Link version 9.0.2.27051 or earlier
- ActiveX controls must be enabled in the browser
- The user must have network access from the workstation to the internet or attacker-controlled server
no patch availablelow complexity attackaffects engineering workstationsrequires user interaction
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (1)
ProductAffected VersionsFix Status
Trend Link: <=9.0.2.27051≤ 9.0.2.27051No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/3WORKAROUNDDisable or restrict ActiveX controls in web browsers used on Trend Link systems, or run the browser in protected/low-privilege mode
HARDENINGRestrict access to the Trend Link application to a dedicated network segment or VPN; block outbound HTTP/HTTPS from Trend Link workstations to untrusted internet sources
HARDENINGEducate users not to click untrusted links or open suspicious email attachments on machines running Trend Link
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXMonitor for any upgrade or patch released by Canary Labs Inc and deploy immediately once available
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/0176c869-da3e-41d9-be7d-bab1497b807a