CVE-2017-14078

Name of the Vulnerable Software and Affected Versions Trend Micro Mobile Security (Enterprise) versions before 9.7 Patch 3

Description The issue allows remote attackers to execute arbitrary code on vulnerable installations. Multiple API endpoints are vulnerable to SQL Injection, including query installed applications, change ios setting, move group, eas agent check upgrade, notify devices to update, upload web app, update group, delete user, query event log, delete devices, notify devices to scan, add app category, export devices, search devices, get dep profile, remote wipe device, change device user, remote lock device, eas agent unregister, eas agent upload new devices, edit user, export eas devices, get moveto group list, locate device, get user list, move devices, invite devices, delete admin account, notify groups to scan, cancel command list, reinvite user, remove eas agent info, get device list brief by group, mdm register new connector, edit eas note, get device detail info, query user, add group, eas agent register, resend command list, get device location, broadcast group, get subgroup list, eas agent sync all devices, edit device, search user for report, notify groups to update, eas agent sync client info, broadcast devices, remote selective wipe device, show eas agent info, show eas devices, reset device passwd, search users for vpp, stop mirroring, remove command list, diagnose eas status, change user, eas agent command, invite devices, save eas agent setting, create db, get remote unlockstring, assign policy, delete group, search device invitations. Vulnerable parameters include application name, Device DeviceId, Id, SlinkId, AppFile, AdminName, Device DeviceGroupId, group id, Name, Device DeviceDeviceId, user name, LDAPAccount, CmdUUID, UserName, DeviceGroupId, id.

Recommendations For Trend Micro Mobile Security (Enterprise) versions before 9.7 Patch 3, update to version 9.7 Patch 3 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints until a patch is available. Avoid using vulnerable parameters in the affected API endpoints until the issue is resolved.