Affected Version(s)
| Product | Affected Version(s) | Platform | Language(s) |
|---|---|---|---|
| Apex One | 2019 (on-prem) | Windows | English |
| Apex One | SaaS | Windows | English |
Solution
Trend Micro has released the following solutions to address the issue:
| Product | Updated version | Notes | Platform | Availability |
|---|---|---|---|---|
| Apex One (on-prem) | CP 11110/11102 * | Readme | Windows | Now Available |
| Apex One (SaaS) | September 2022 Monthly Patch (202209) Agent Version: 14.0.11734 | Notes | Windows | Now Available |
*Please note that Apex One SP1 is a pre-requisite for the on-premise CP.
These are the minimum recommended version(s) of the patches and/or builds required to address the issue. Trend Micro highly encourages customers to obtain the latest version of the product if there is a newer one available than the one listed in this bulletin.
Customers are encouraged to visit Trend Micro’s Download Center to obtain prerequisite software (such as Service Packs) before applying any of the solutions above.
Vulnerability Details
CVE-2022-41744: Apex One Vulnerability Protection Service Time-of-Check Time-Of-Use Local Privilege Vulnerability ZDI-CAN-16518
CVSSv3: 7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
A Time-of-Check Time-Of-Use vulnerability in the Trend Micro Apex One Vulnerability Protection integrated component could allow a local attacker to escalate privileges and turn a specific working directory into a mount point on affected installations.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
CVE-2022-41745: Apex One Out-Of-Bounds Access Local Privilege Escalation Vulnerability
ZDI-CAN-17542
CVSSv3: 7.0: AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
An Out-of-Bounds access vulnerability in Trend Micro Apex One could allow a local attacker to create a specially crafted message to cause memory corruption on a certain service process which could lead to local privilege escalation on affected installations.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
CVE-2022-41746: Apex One Forced Browsing Privilege Escalation Vulnerability
ZDI-CAN-18013
CVSSv3: 9.1: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
A forced browsing vulnerability in Trend Micro Apex One could allow an attacker with access to the Apex One console on affected installations to escalate privileges and modify certain agent groupings.
Please note: an attacker must first obtain the ability to log onto the Apex One web console in order to exploit this vulnerability.
CVE-2022-41747: Apex One Security Agent Improper Certification Validation Local Privilege Escalation Vulnerability
ZDI-CAN-16923
CVSSv3: 7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
An improper certification validation vulnerability in Trend Micro Apex One agents could allow a local attacker to load a DLL file with system service privileges on affected installations.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
CVE-2022-41748: Apex One Data Loss Prevention Module Registry Permissions Vulnerability
CVSSv3: 6.7: AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
A registry permissions vulnerability in the Trend Micro Apex One Data Loss Prevention (DLP) module could allow a local attacker with administrative credentials to bypass certain elements of the product's anti-tampering mechanisms on affected installations.
Please note: an attacker must first obtain administrative credentials on the target system in order to exploit this vulnerability.
CVE-2022-41749: Apex One Origin Validation Error Local Privilege Escalation Vulnerability
ZDI-CAN-17084
CVSSv3: 7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
An origin validation error vulnerability in Trend Micro Apex One agents could allow a local attacker to escalate privileges on affected installations.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
Mitigating Factors
Exploiting these type of vulnerabilities generally require that an attacker has access (physical or remote) to a vulnerable machine. In addition to timely application of patches and updated solutions, customers are also advised to review remote access to critical systems and ensure policies and perimeter security is up-to-date.
However, even though an exploit may require several specific conditions to be met, Trend Micro strongly encourages customers to update to the latest builds as soon as possible.
Acknowledgement
Trend Micro would like to thank the following individuals for responsibly disclosing these issues and working with Trend Micro to help protect our customers:
- CVE-2022-41744: Abdelhamid Naceri working with Trend Micro's Zero Day Initiative
- CVE-2022-41745: Simon Zuckerbraun of Trend Micro's Zero Day Initiative
- CVE-2022-41746: Elias Martinez (FileNotFound) working with Trend Micro's Zero Day Initiative
- CVE-2022-41747: Lynn and Lays (@_L4ys) working with Trend Micro's Zero Day Initiative
- CVE-2022-41748: Nuttakorn Tungpoonsup, Khanatip Vanjongkham and Sittikorn Sangrattanapitak
- CVE-2022-41749: Simon Zuckerbraun of Trend Micro's Zero Day Initiative
External Reference(s)
- ZDI-CAN-16518
- ZDI-CAN-17542
- ZDI-CAN-18013
- ZDI-CAN-16923
- ZDI-CAN-17084