Seven critical Trend Micro vulnerabilities affecting its Apex One Security Agent have been found to be exploited in the wild, found the Zero Day Initiative.
The Trend Micro vulnerabilities were discovered and reported by several security researchers, prompting the company to take immediate action to address the issues.
Patches for the Trend Micro vulnerabilities were issued on May 16 and updated on May 17. However, the company is yet to responded the inquiries by The Cyber Express on the reported exploitation of the Trend Micro vulnerabilities.
Trend Micro vulnerabilities: 7 critical CVEs to look out for!
Trend Micro vulnerabilities have become a pressing concern due to the immense popularity of the cybersecurity service, with seven critical CVEs that require attention:
CVE-2023-32554
The first vulnerability, identified as ZDI-23-657 and registered as CVE-2023-32554, permits local attackers to exploit affected installations of Trend Micro Apex One Security Agent and elevate their privileges.
To carry out this attack, the attacker must initially gain the ability to run low-privileged code on the targeted system.
The vulnerability resides within the Apex One Client Plug-in Service Manager, which lacks proper file locking during specific operations. By exploiting this flaw, an attacker can escalate privileges and execute arbitrary code within the SYSTEM context.
CVE-2023-32552
The second vulnerability, ZDI-23-655 (CVE-2023-32552), enables remote attackers to access sensitive information on vulnerable Trend Micro Apex One installations. Unlike the previous vulnerability, this flaw does not require authentication for exploitation.
It resides within the web console of Apex One, typically listening on TCP port 4343. The vulnerability stems from inadequate access control mechanisms, allowing attackers to retrieve information from the application without proper authorization.
CVE-2023-32530
In addition to external findings, the vulnerability report also also discovered a flaw in Apex Central product, ZDI-23-654 (CVE-2023-32530). This flaw allows remote attackers to execute arbitrary code on affected Apex Central installations. However, authentication is still required to exploit this vulnerability.
The vulnerability arises from the mishandling of set_certificates_config requests to the modTMMS endpoint. When processing the dbCert parameter, the software fails to validate a user-supplied string correctly, leading to the construction of insecure SQL queries. By exploiting this flaw, an attacker can execute code within the context of the IUSR user.
CVE-2023-32553
Another vulnerability impacting Apex One, ZDI-23-653 (CVE-2023-32553), enables remote attackers to access sensitive information without requiring authentication.
Similar to the second vulnerability, this flaw resides within the web console and results from improper access control mechanisms. Exploiting this vulnerability permits unauthorized disclosure of information from the application.
CVE-2023-32529
Apex Central, the centralized management solution by Trend Micro, is also vulnerable to a critical flaw known as ZDI-23-652 (CVE-2023-32529). This flaw allows remote attackers to execute arbitrary code with authentication.
The vulnerability arises from the mishandling of delete_cert_vec requests to the modTMMS endpoint. By exploiting the inadequate validation of the id parameter, an attacker can manipulate SQL queries and execute code within the context of the IUSR user.
CVE-2023-32555
Another critical vulnerability, identified as Trend Micro Apex One Security Agent Time-Of-Check Time-Of-Use Local Privilege Escalation, ZDI-23-656 (CVE-2023-32555) have been affecting installations of Trend Micro’s Apex One Security Agent.
Local attackers can exploit this vulnerability to escalate their privileges within the system. To carry out the attack, the attacker must first gain the ability to execute low-privileged code on the target system.
The vulnerability stems from a flaw in the Apex One Client Plug-in Service Manager, specifically due to the absence of adequate locking mechanisms during file operations.
CVE-2023-32556
Lastly, the final vulnerability discovered, ZDI-23-651 (CVE-2023-32556), targets the Apex One Security Agent and enables local attackers to access sensitive information. However, exploiting this vulnerability requires the initial ability to execute low-privileged code on the target system.
The flaw resides within the NT Apex One RealTime Scan Service and can be exploited by creating a mount point. Through this technique, an attacker can extract the contents of a file and disclose information within the SYSTEM context.
Trend Micro vulnerabilities: Patch management
To address these Trend Micro vulnerabilities promptly, the company has issued some quick updates where users can find fixes for particular Trend Micro vulnerabilities.
“According to Identity Theft Resource Center’s 2021 Annual Data Breach Report, there were 1,862 confirmed compromises, up by more than 68% from 2020,” said a Trend Micro report on patch management.
Of these breaches, the 2022 Data Breach Investigation Report determined that those caused by vulnerabilities more than doubled from last year up to 7%.
Users of Trend Micro Apex, One, and Apex Central are strongly advised to apply the patches provided by the company to ensure the ongoing security of their systems.
