Affected Version(s)
| Product | Affected Version(s) | Platform | Language(s) |
|---|---|---|---|
| Apex One | 2019 (On-prem) | Windows | English |
| Apex One as a Service | SaaS | Windows | English |
Solution
Trend Micro has released the following solutions to address the issue:
| Product | Minimum Patch Version Required | Notes | Platform | Availability |
|---|---|---|---|---|
| Apex One | SP1 CP 12526 | Readme | Windows | Available Now |
| Apex One as a Service | September 2023 Monthly Patch (202309) Agent Version: 14.0.12737 | Notes | Windows | Available Now |
These are the minimum recommended version(s) of the patches and/or builds required to address the issue. Trend Micro highly encourages customers to obtain the latest version of the product if there is a newer one available than the one listed in this bulletin.
Customers are encouraged to visit Trend Micro’s Download Center to obtain prerequisite software (such as Service Packs) before applying any of the solutions above.
Vulnerability Details
CVE-2023-47192: Agent Link Following Local Privilege Escalation Vulnerability CVSSv3: 7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
An agent link vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
CVE-2023-47193 through CVE-2023-47199: Origin Validation Error Local Privilege Escalation Vulnerabilities
CVSSv3: 7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Several origin validation vulnerabilities in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
CVE-2023-47200 and CVE-2023-47201: Plug-in Manager Origin Validation Error Local Privilege Escalation Vulnerabilities
CVSSv3: 7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Two plug-in manager origin validation vulnerabilities in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
CVE-2023-47202: Local File Inclusion Local Privilege Escalation Vulnerability
CVSSv3: 7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
A local file inclusion vulnerability on the Trend Micro Apex One management server could allow a local attacker to escalate privileges on affected installations.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
Security Agent Self-Protection Enhancement
Beginning with the versions mentioned above, Trend Micro has enhanced security features on the Trend Micro Apex One and Apex One as a Service agents in response to threats being observed that attempt to disable security agent protections on target machines.
Please note that certain applications (e.g., customer apps) that are not digitally signed by either Trend Micro or Microsoft and exhibit certain injection behaviors may be blocked by the new security enhancement under certain circumstances. Customers may need to add certain exceptions to known trusted apps by following steps such as the one listed in this guide or by contacting Trend Micro technical support for further assistance.
Mitigating Factors
Exploiting these type of vulnerabilities generally require that an attacker has access (physical or remote) to a vulnerable machine. In addition to timely application of patches and updated solutions, customers are also advised to review remote access to critical systems and ensure policies and perimeter security is up-to-date.
Acknowledgement
Trend Micro would like to thank the following individuals for responsibly disclosing these issues and working with Trend Micro to help protect our customers:
- Lays (@_L4ys) of TRAPA Security working with Trend Micro's Zero Day Initiative (CVE-2023-47192 through 47198, CVE-2023-47200, CVE-2023-47201)
- Simon Zuckerbraun of Trend Micro's Zero Day Initiative (CVE-2023-47199)
- NT AUTHORITY\ANONYMOUS LOGON working with Trend Micro's Zero Day Initiative (CVE-2023-47202)
External Reference(s)
- ZDI-CAN-20220
- ZDI-CAN-21366
- ZDI-CAN-21367
- ZDI-CAN-21368
- ZDI-CAN-21380
- ZDI-CAN-21381
- ZDI-CAN-21382
- ZDI-CAN-21665
- ZDI-CAN-21383
- ZDI-CAN-21378
- ZDI-CAN-21460