Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

SECURITY BULLETIN: Trend Micro Deep Security as a Service Privilege Escalation Vulnerability

    • Updated:
    • 16 Dec 2019
    • Product/Version:
    • Deep Security As A Service
    • Platform:
Summary

Release Date: December 16, 2019

CVE Identifier(s): CVE-2019-18191

Platform(s): SaaS

CVSS 3.1 Score(s): 7.5 - AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity Rating(s): High

A privilege escalation vulnerability in the Deep Security as a Service Quick Setup cloud formation template may impact AWS Accounts for those customers who have added AWS integrations (also known as 'AWS Connectors') to their Deep Security as a Service account using the Quick Setup option.

What is the risk?

This vulnerability allows an authenticated entity with certain unrestricted AWS execution privileges to escalate to full privileges within the target AWS account.

Trend Micro is not aware of any compromise related to this vulnerability; however, we recommend that customers review the detailed information below to understand if the issue impacts them and take immediate action to remediate the issue if necessary.

Details
Public

AWS accounts are only vulnerable if all of the following statements are true:

1 - You use Deep Security as a Service

2 - An administrator of the AWS account has added the Deep Security AWS connector using the Quick Setup option 

  • The Quick Setup option allows a user to generate the connector configuration using AWS Cloud Formation templates.

3 - The Cloud Formation template used during the setup process was not removed after the configuration process was complete

The issue does NOT impact AWS accounts in any of the following situations:

 
Please note that future uses of Quick Setup are no longer vulnerable however we recommend that customers still delete the setup cloud formation template as a best practice.
 

Solution

There are two (2) options available to remediate the issue.

In your web browser:

Customers can navigate to Cloud Formation in the AWS console, search for DeepSecuritySetup and delete any stacks that match that name.

  • The stacks are created by default in us-east-1.
  • Deleting the stacks will have no effect on the integration between Deep Security and your AWS account.
  • All Deep Security product features will continue to operate normally.

Command line script:

We have also created a bash script which allows customers to iterate over all provided AWS accounts and correct the issue using aws cli. Login to your Deep Security account and change the page to /QuickSetupCleanup.screen to learn more.

For further assistance please contact your authorized Trend Micro Deep Security as a Service support representative or contact.

Acknowledgement

Trend Micro would like to thank the following individuals for responsibly disclosing these issues and working with Trend Micro to help protect our customers:

  • Kesten Broughton of Praetorian
Premium
Internal
Rating:
Category:
Configure
Solution Id:
000157758
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.