Affected Version(s)

Solution

Trend Micro has released the following solutions to address the issue:

Please note that some of the vulnerabilities in this bulletin may have been addressed in earlier patches or builds, but Trend Micro recommends updating to the latest version available to ensure all known issues are addressed.

Customers are encouraged to visit Trend Micro’s Download Center to obtain prerequisite software (such as Service Packs) before applying any of the solutions above.

Vulnerability Details

CVE-2024-36302 and CVE-2024-36303:  Origin Validation Error Local Privilege Escalation Vulnerability 
ZDI-CAN-22039, ZDI-CAN-22481
CVSSv3: 7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Origin validation vulnerabilities in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

CVE-2024-36304:  Security Agent Time-Of-Check Time-Of-Use Local Privilege Vulnerability 
ZDI-CAN-22667
CVSSv3: 7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
A Time-of-Check Time-Of-Use vulnerability in the Trend Micro Apex One and Apex One as a Service agent could allow a local attacker to escalate privileges on affected installations.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

CVE-2024-36305:  Security Agent Link Following Local Privilege Vulnerability 
ZDI-CAN-22693
CVSSv3: 7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
A security agent link following vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

CVE-2024-36306:  Damage Cleanup Engine Link Following Denial-of-Service Vulnerability 
ZDI-CAN-22038
CVSSv3: 6.1: AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
A link following vulnerability in the Trend Micro Apex One and Apex One as a Service Damage Cleanup Engine could allow a local attacker to create a denial-of-service condition on affected installations.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

CVE-2024-36307:  Security Agent Link Following Information Disclosure Vulnerability 
ZDI-CAN-22032
CVSSv3: 4.7: AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
A security agent link following vulnerability in Trend Micro Apex One and Apex One as a Service could allow a local attacker to disclose sensitive information about the agent on affected installations.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

CVE-2024-37289:  Improper Access Control Local Privilege Escalation Vulnerability 
ZDI-CAN-21599
CVSSv3: 7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
An improper access control vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

CVE-2024-39753:  modOSCE SQL Injection Remote Code Execution Vulnerability 
ZDI-CAN-22968
CVSSv3: 7.5: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
An modOSCE SQL Injection vulnerability in Trend Micro Apex One could allow a remote attacker to execute arbitrary code on affected installations.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Additional Security Enhancement

In addition to resolving the vulnerabilities listed above, the latest builds of Apex One and Apex One as a Service also have included some security enhancements to the agents' self-protection mechanisms to protect against malicious batch scripts intending to disrupt the operations of the security agents.

Mitigating Factors

Exploiting these type of vulnerabilities generally require that an attacker has access (physical or remote) to a vulnerable machine. In addition to timely application of patches and updated solutions, customers are also advised to review remote access to critical systems and ensure policies and perimeter security is up-to-date.

However, even though an exploit may require several specific conditions to be met, Trend Micro strongly encourages customers to update to the latest builds as soon as possible.

Acknowledgement

Trend Micro would like to thank the following individuals for responsibly disclosing these issues and working with Trend Micro to help protect our customers:

• CVE-2024-36302 (ZDI-CAN-22039) - Kolja Grassmann working with Trend Micro's Zero Day Initiative
• CVE-2024-36303 (ZDI-CAN-22481) - Lays (@_L4ys) of TRAPA Security working with Trend Micro's Zero Day Initiative
• CVE-2024-36304 (ZDI-CAN-22667) - Lays (@_L4ys) of TRAPA Security working with Trend Micro's Zero Day Initiative
• CVE-2024-36305 (ZDI-CAN-22693) - NT AUTHORITY\ANONYMOUS LOGON working with Trend Micro's Zero Day Initiative
• CVE-2024-36306 (ZDI-CAN-22038) - NT AUTHORITY\ANONYMOUS LOGON working with Trend Micro's Zero Day Initiative
• CVE-2024-36307 (ZDI-CAN-22032) - NT AUTHORITY\ANONYMOUS LOGON working with Trend Micro's Zero Day Initiative
• CVE-2024-37289 (ZDI-CAN-21599) - NT AUTHORITY\ANONYMOUS LOGON working with Trend Micro's Zero Day Initiative
• CVE-2024-39753 (ZDI-CAN-22968) - N1k0la (@webdxg) working with Trend Micro's Zero Day Initiative

External Reference(s)

• ZDI-CAN-22039
• ZDI-CAN-22481
• ZDI-CAN-22667
• ZDI-CAN-22693
• ZDI-CAN-22038
• ZDI-CAN-22032
• ZDI-CAN-21599
• ZDI-CAN-