Release Date: December 16, 2019
CVE Identifier(s): CVE-2019-18191
CVSS 3.1 Score(s): 7.5 - AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity Rating(s): High
A privilege escalation vulnerability in the Deep Security as a Service Quick Setup cloud formation template may impact AWS Accounts for those customers who have added AWS integrations (also known as 'AWS Connectors') to their Deep Security as a Service account using the Quick Setup option.
What is the risk?
This vulnerability allows an authenticated entity with certain unrestricted AWS execution privileges to escalate to full privileges within the target AWS account.
Trend Micro is not aware of any compromise related to this vulnerability; however, we recommend that customers review the detailed information below to understand if the issue impacts them and take immediate action to remediate the issue if necessary.
AWS accounts are only vulnerable if all of the following statements are true:
1 - You use Deep Security as a Service
2 - An administrator of the AWS account has added the Deep Security AWS connector using the Quick Setup option
- The Quick Setup option allows a user to generate the connector configuration using AWS Cloud Formation templates.
3 - The Cloud Formation template used during the setup process was not removed after the configuration process was complete
The issue does NOT impact AWS accounts in any of the following situations:
- You are using Deep Security via the AWS Marketplace (delivery methods - Amazon Machine Image or Cloud Formation Template)
- You deployed Deep Security Manager as a software package
- The corresponding AWS connector was created using an IAM key
- The corresponding AWS connector has been configured manually (using the Advanced option)
- The corresponding AWS connector was configured programmatically using the Deep Security APIs
There are two (2) options available to remediate the issue.
In your web browser:
Customers can navigate to Cloud Formation in the AWS console, search for DeepSecuritySetup and delete any stacks that match that name.
- The stacks are created by default in us-east-1.
- Deleting the stacks will have no effect on the integration between Deep Security and your AWS account.
- All Deep Security product features will continue to operate normally.
Command line script:
We have also created a bash script which allows customers to iterate over all provided AWS accounts and correct the issue using aws cli. Login to your Deep Security account and change the page to /QuickSetupCleanup.screen to learn more.
For further assistance please contact your authorized Trend Micro Deep Security as a Service support representative or contact.
Trend Micro would like to thank the following individuals for responsibly disclosing these issues and working with Trend Micro to help protect our customers:
- Kesten Broughton of Praetorian