Trend Micro Encryption for Email Gateway
Two researchers from Core Security Consulting Services discovered 12 vulnerabilities in the Trend Micro Encryption for Email Gateway (TMEEG), a Linux-based virtual appliance used to encrypt and decrypt email at the corporate gateway. The severity of these vulnerabilities ranges from low to critical and impacts all TMEEG versions up to and including version 5.5 Build 1111. If exploited, some of these vulnerabilities could allow a remote unauthenticated actor to execute root commands. In response, Trend Micro has released security update version 5.5 Build 1129, which patches 10 of the 12 vulnerabilities; however, two of the reported 12 remain unpatched at the time of publishing. The NJCCIC recommends all TMEEG administrators review both the Trend Micro Security Bulletin and the Core Security Advisory and update to version 5.5 Build 1129 as soon as possible. Additionally, we recommend ensuring that the TMEEG web console is only accessible via the company intranet and only by authorized users.