CVE-2021-36745
📋 TL;DR
This vulnerability allows remote attackers to bypass authentication mechanisms in Trend Micro ServerProtect products, potentially gaining unauthorized access to security management functions. Affected installations include ServerProtect for Storage 6.0, ServerProtect for EMC Celerra 5.8, ServerProtect for Network Appliance Filers 5.8, and ServerProtect for Microsoft Windows/Novell Netware 5.8.
💻 Affected Systems
- Trend Micro ServerProtect for Storage
- Trend Micro ServerProtect for EMC Celerra
- Trend Micro ServerProtect for Network Appliance Filers
- Trend Micro ServerProtect for Microsoft Windows / Novell Netware
📦 What is this software?
Serverprotect by Trendmicro
Serverprotect by Trendmicro
Serverprotect by Trendmicro
Serverprotect by Trendmicro
Serverprotect by Trendmicro
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the ServerProtect management console, allowing attackers to disable security protections, exfiltrate sensitive data, or deploy ransomware across protected storage systems.
Likely Case
Unauthorized access to security management functions, enabling attackers to disable antivirus scanning, modify security policies, or gain persistence on protected systems.
If Mitigated
Limited impact if proper network segmentation and access controls prevent external access to ServerProtect management interfaces.
🎯 Exploit Status
The vulnerability allows authentication bypass without credentials, making exploitation straightforward for attackers who can reach the management interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to latest versions as specified in vendor advisories
Vendor Advisory: https://success.trendmicro.com/solution/000289038
Restart Required: Yes
Instructions:
1. Review Trend Micro advisory 000289038. 2. Download appropriate patches from Trend Micro support portal. 3. Apply patches to all affected ServerProtect installations. 4. Restart ServerProtect services. 5. Verify successful patch installation.
🔧 Temporary Workarounds
Network Segmentation
allRestrict access to ServerProtect management interfaces to trusted administrative networks only
Firewall Rules
allImplement firewall rules to block external access to ServerProtect management ports
🧯 If You Can't Patch
- Isolate ServerProtect management interfaces from untrusted networks using network segmentation
- Implement strict access controls and monitoring for ServerProtect management console access
🔍 How to Verify
Check if Vulnerable:
Check ServerProtect version against affected versions (6.0, 5.8) in the management console or installation directoryCheck Version:
Check ServerProtect management console 'About' section or installation propertiesVerify Fix Applied:
Verify version has been updated beyond vulnerable versions and test authentication mechanisms📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful access
- Unauthorized access to ServerProtect management functions
- Authentication bypass patterns in access logs
Network Indicators:
- Unusual traffic patterns to ServerProtect management ports from unauthorized sources
- Authentication bypass attempts on management interfaces
SIEM Query:
source="ServerProtect" AND (event_type="authentication" AND result="success" AND source_ip NOT IN [admin_networks])🔗 References
- https://success.trendmicro.com/jp/solution/000289030
- https://success.trendmicro.com/solution/000289038
- https://www.zerodayinitiative.com/advisories/ZDI-21-1115/
- https://success.trendmicro.com/jp/solution/000289030
- https://success.trendmicro.com/solution/000289038
- https://www.zerodayinitiative.com/advisories/ZDI-21-1115/
