Views:

Affected Version(s)

Product Affected Version(s)  Platform  Language(s) 
Apex One  2019 (On-prem) Windows English
Apex One as a Service  SaaS Windows English


Solution

Trend Micro has released the following solutions to address the issue:

Product Updated version  Notes Platform  Availability 
Apex One  SP1 CP b12980 Readme   Windows Now Available 
Apex One as a Service  May 2024 Maintenance Release (202405) 
Security Agent version: 14.0.13139		 Release Notes   Windows Now Available

Please note that some of the vulnerabilities in this bulletin may have been addressed in earlier patches or builds, but Trend Micro recommends updating to the latest version available to ensure all known issues are addressed.

Customers are encouraged to visit Trend Micro’s Download Center to obtain prerequisite software (such as Service Packs) before applying any of the solutions above.


Vulnerability Details

CVE-2024-36302 and CVE-2024-36303Origin Validation Error Local Privilege Escalation Vulnerability 
ZDI-CAN-22039, ZDI-CAN-22481
CVSSv3: 7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Origin validation vulnerabilities in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

CVE-2024-36304Security Agent Time-Of-Check Time-Of-Use Local Privilege Vulnerability 
ZDI-CAN-22667
CVSSv3: 7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
A Time-of-Check Time-Of-Use vulnerability in the Trend Micro Apex One and Apex One as a Service agent could allow a local attacker to escalate privileges on affected installations.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

CVE-2024-36305Security Agent Link Following Local Privilege Vulnerability 
ZDI-CAN-22693
CVSSv3: 7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
A security agent link following vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

CVE-2024-36306Damage Cleanup Engine Link Following Denial-of-Service Vulnerability 
ZDI-CAN-22038
CVSSv3: 6.1: AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
A link following vulnerability in the Trend Micro Apex One and Apex One as a Service Damage Cleanup Engine could allow a local attacker to create a denial-of-service condition on affected installations.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

CVE-2024-36307Security Agent Link Following Information Disclosure Vulnerability 
ZDI-CAN-22032
CVSSv3: 4.7: AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
A security agent link following vulnerability in Trend Micro Apex One and Apex One as a Service could allow a local attacker to disclose sensitive information about the agent on affected installations.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

CVE-2024-37289Improper Access Control Local Privilege Escalation Vulnerability 
ZDI-CAN-21599
CVSSv3: 7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
An improper access control vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

CVE-2024-39753modOSCE SQL Injection Remote Code Execution Vulnerability 
ZDI-CAN-22968
CVSSv3: 7.5: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
An modOSCE SQL Injection vulnerability in Trend Micro Apex One could allow a remote attacker to execute arbitrary code on affected installations.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

CVE-2024-52047widget Local File Inclusion Remote Code Execution Vulnerability 
ZDI-CAN-23401
CVSSv3: 7.5: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
A widget local file inclusion vulnerability in Trend Micro Apex One could allow a remote attacker to execute arbitrary code on affected installations.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.


Additional Security Enhancement

In addition to resolving the vulnerabilities listed above, the latest builds of Apex One and Apex One as a Service also have included some security enhancements to the agents' self-protection mechanisms to protect against malicious batch scripts intending to disrupt the operations of the security agents.


Mitigating Factors

Exploiting these type of vulnerabilities generally require that an attacker has access (physical or remote) to a vulnerable machine. In addition to timely application of patches and updated solutions, customers are also advised to review remote access to critical systems and ensure policies and perimeter security is up-to-date.

However, even though an exploit may require several specific conditions to be met, Trend Micro strongly encourages customers to update to the latest builds as soon as possible.


Acknowledgement

Trend Micro would like to thank the following individuals for responsibly disclosing these issues and working with Trend Micro to help protect our customers:


External Reference(s)

The following advisories may be found at Trend Micro's Zero Day Initiative Published Advisories site:
  • ZDI-CAN-22039
  • ZDI-CAN-22481
  • ZDI-CAN-22667
  • ZDI-CAN-22693
  • ZDI-CAN-22038
  • ZDI-CAN-22032
  • ZDI-CAN-21599
  • ZDI-CAN-22968
  • ZDI-CAN-23401
Keywords: SECURITY BULLETIN: May 2024 Security Bulletin for Trend Micro Apex One