CVE Identifier(s): CVE-2020-8607
Platform(s): Windows
CVSS 3.1 Score(s): 6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H )
Severity Rating(s): Medium
Trend Micro has released patches and/or updates to resolve an input validation vulnerability for multiple Trend Micro products that utilize a particular rootkit protection driver.
Affected Products
| Product | Affected Version(s) | Platform |
|---|---|---|
| Apex One | 2019 (On-premise) | Windows |
| SaaS | Windows | |
| OfficeScan | XG SP1 | Windows |
| Deep Security & Cloud One Workload Security (C1WS) | 12.x, 11.x, 10.x | Windows |
| Worry-Free Business Security | 10.0 SP1 | Windows |
| Services (SaaS) | Windows | |
| Trend Micro Security (Consumer Family) | 2020 (v16) | Windows |
| 2019 (v15) | Windows | |
| Safe Lock | 2.0 SP1 | Windows |
| TXOne Edition | Windows | |
| ServerProtect | for Storage (SPFS) 6.0 | Windows |
| for Network Appliance Filters (SPNAF) 5.8 | Windows | |
| for EMC Celerra (SPEMC) 5.8 | Windows | |
| for Windows / Netware (SPNT) 5.8 | Windows | |
| Portable Security | 2.x, 3.x | Windows |
| HouseCall | 8.0 | Windows |
| Anti-Threat Toolkit (ATTK) | 1.62.1240 and below | Windows |
| Rootkit Buster | 2.2 | Windows |
Solution
Trend Micro has released the following solutions to address the issue:
| Product | Updated version | Notes | Platform | Availability |
|---|---|---|---|---|
| Apex One | 2019 Patch 3 b8378 | Readme | Windows | Now Available |
| SaaS July 2020 Monthly Maintenance (b202007) | Deployed | Windows | Now Available | |
| OfficeScan | XG SP1 Patch 3 b5684 | Readme | Windows | Now Available |
| Deep Security & Cloud One Workload Security (C1WS) | DS 12.0 U11 | Readme | Windows | Now Available |
| DS 11.0 U22 | Readme | Windows | Now Available | |
| DS 10.0 U27 | Readme | Windows | Now Available | |
| C1WS Agents (SaaS) | Latest Updates Available for Deployment | Windows | Now Available | |
| Worry-Free Business Security | 10.0 SP1 Patch 2228 | Readme | Windows | Now Available |
| WFBS Services (SaaS) Bi-Weekly Maintenance | Deployed | Windows | Now Available | |
| Trend Micro Security (Consumer Family) | 2020 (v16) | Deployed via ActiveUpdate (AU) | Windows | Now Available |
| 2019 (v15)* | Deployed via ActiveUpdate (AU) | Windows | Now Available | |
| Safe Lock | 2.0 SP1 Patch 4 (b6156) | Readme | Windows | Now Available |
| TXOne Edition CP b1034 | Readme | Windows | Now Available | |
| ServerProtect | SPFS 6.0 CP b1268 | Readme | Windows | Now Available |
| SPNAF 5.8 SP1 Patch 2 CP1290 | Readme | Windows | Now Available | |
| SPEMC 5.8 CP1566 | Readme | Windows | Now Available | |
| SPNT 5.8 Patch 5 (b1567) | Readme | Windows | Now Available | |
| Portable Security | 3.0 | Deployed via ActiveUpdate (AU) | Windows | Now Available |
| 2.0 | Deployed via ActiveUpdate (AU) | Windows | Now Available | |
| HouseCall | 8.0 | Latest Version on Site | Windows | Now Available |
| Anti-Threat Toolkit (ATTK) | 1.62.1240 | Latest Version on Site | Windows | Now Available |
| Rootkit Buster | **Retired - See note below |
* Customers running Trend Micro Security (Consumer) 2019 who wish to resolve the issue immediately are encouraged to update to 2020 (v16) which is now available.
** Trend Micro has decided to retire the standalone Rootkit Buster tool due to its redundancy since most of its critical functionality has already been integrated into Trend Micro’s other protection products.
These are the minimum versions of the patches and/or builds required to address the issue. Trend Micro highly encourages customers to obtain the latest version of the product if there is a newer one available than the one listed in this bulletin.
Customers are encouraged to visit Trend Micro’s Download Center to obtain prerequisite software (such as Service Packs) before applying any of the solutions above.
Vulnerability Details
An input validation vulnerability found in multiple Trend Micro products utilizing a particular version of a specific rootkit protection driver could allow an attacker in user-mode with administrator permissions to abuse the driver to modify a kernel address that may cause a system crash or potentially lead to code execution in kernel mode.
Mitigating Factors
Exploiting these types of vulnerabilities generally requires that an attacker has access (physical or remote) to a vulnerable machine. In addition to timely application of patches and updated solutions, customers are also advised to review remote access to critical systems and ensure policies and perimeter security is up to date.
As a potential exploit requires pre-obtained administrator access – the single most important mitigation against this type of attack is to ensure administrative credentials on systems are secured since an attacker with these credentials can not only exploit this vulnerability but potentially can have a much more significant impact on the target system or network.
Acknowledgement
Trend Micro acknowledges that the issue was first discovered by Bill Demirkapi (independent researcher).
