Views:

Affected Version(s)

ProductAffected Version(s) Platform Language(s) 
Mobile Security 
(Enterprise) 
9.8 SP5WindowsEnglish


Solution

Trend Micro has released the following solutions to address the issue:

ProductUpdated version*NotesPlatform Availability 
Mobile Security 
(Enterprise) 
9.8 SP5 Critical Patch B3294  Readme  Windows Now Available

These are the minimum recommended version(s) of the patches and/or builds required to address the issue. Trend Micro highly encourages customers to obtain the latest version of the product if there is a newer one available than the one listed in this bulletin.

Customers are encouraged to visit Trend Micro’s Download Center to obtain prerequisite software (such as Service Packs) before applying any of the solutions above.

Please note: some of the vulnerabilities listed below may be resolved by an earlier build, but it is strongly recommended that customers apply the latest available version to ensure all known issues are resolved.

 

Vulnerability Details

CVE-2023-32521Unauthenticated Path Traversal File Deletion Vulnerability 
CVSSv3.1: 9.1: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
A path traversal exists in a specific service dll of Trend Micro Mobile Security (Enterprise) 9.8 SP5 which could allow an unauthenticated remote attacker to delete arbitrary files.

CVE-2023-32522Authenticated Path Traversal File Deletion Vulnerability 
CVSSv3.1: 8.1: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
A path traversal exists in a specific dll of Trend Micro Mobile Security (Enterprise) 9.8 SP5 which could allow an authenticated remote attacker to delete arbitrary files.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

CVE-2023-32523 and 32524Authentication Bypass Vulnerabilities 
ZDI-CAN-19721 and ZDI-CAN-19722
CVSSv3: 6.0: AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L

Affected versions of Trend Micro Mobile Security (Enterprise) 9.8 SP5 contain some widgets that would allow a remote user to bypass authentication and potentially chain with other vulnerabilities.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit these vulnerabilities.

CVE-2023-32525 and 32526: Unrestricted File Upload Vulnerabilities 
ZDI-CAN-20179 and ZDI-CAN-20182
CVSSv3: 6.5: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Trend Micro Mobile Security (Enterprise) 9.8 SP5 contains widget vulnerabilities that could allow a remote attacker to create arbitrary files on affected installations.  

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

CVE-2023-32527 and 32528Local File Inclusion Remote Code Execution Vulnerabilities 
ZDI-CAN-20180 and ZDI-CAN-20181
CVSSv3: 7.7: AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L

Trend Micro Mobile Security (Enterprise) 9.8 SP5 contains vulnerable .php files that could allow a remote attacker to execute arbitrary code on affected installations.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

CVE-2023-35695Information Disclosure Vulnerability 
CVSSv3.1: 5.3: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
A remote attacker could leverage a vulnerability in Trend Micro Mobile Security (Enterprise) 9.8 SP5 to download a particular log file which may contain sensitive information regarding the product.


Mitigating Factors

Exploiting these type of vulnerabilities generally require that an attacker has access (physical or remote) to a vulnerable machine. In addition to timely application of patches and updated solutions, customers are also advised to review remote access to critical systems and ensure policies and perimeter security is up-to-date.

However, even though an exploit may require several specific conditions to be met, Trend Micro strongly encourages customers to update to the latest builds as soon as possible.


Acknowledgement

Trend Micro would like to thank the following individuals for responsibly disclosing these issues and working with Trend Micro to help protect our customers:

  • CVE-2023-32521, 32522 and 35695: Tenable Research
  • CVE-2023-32523 through 32528:  Poh Jia Hao of STAR Labs SG Pte. Ltd. working with Trend Micro's Zero Day Initiative


External Reference(s)

  • Tenable Security: TRA-2023-17 (CVE-2023-32521, 32522 and 35695)

The following advisories may be found at Trend Micro's Zero Day Initiative Published Advisories site:
  • ZDI-CAN-19721
  • ZDI-CAN-19722
  • ZDI-CAN-20179
  • ZDI-CAN-20182
  • ZDI-CAN-20180
  • ZDI-CAN-20181