Published:2021/05/31  Last Updated:2022/03/16

JVNVU#93332929
Multiple security updates for multiple Trend Micro products (May 2021)

Overview

Trend Micro Incorporated has released multiple security updates for multiple Trend Micro products.

Products Affected

  • OfficeScan XG SP1
  • Apex One On Premise (2019)
  • Apex One SaaS
  • Trend Micro Antivirus for MAC 2021 (v11)
  • Trend Micro Antivirus for MAC 2020 (v10.5)
  • Home Network Security versions 6.5.599 and earlier
  • HouseCall for Home Networks versions 5.3.1179 and earlier
  • InterScan Web Security Virtual Appliance (IWSVA) 6.5 SP2

Description

Trend Micro Incorporated has released multiple security updates for multiple Trend Micro products.

Impact

  • OfficeScan XG SP1, Apex One On Premise (2019), Apex One SaaS
    • Privilege escalation due to improper access control
    • Privilege escalation due to incorrect permission assignment
    • A specific log file modification due to insecure file permissions
  • Trend Micro Antivirus for MAC 2021 (v11), Trend Micro Antivirus for MAC 2020 (v10.5)
    • Privilege escalation due to improper access control
  • Home Network Security
    • Denial-of-service (DoS)
  • HouseCall for Home Networks
    • Arbitrary code execution due to privilege escalation
  • InterScan Web Security Virtual Appliance (IWSVA) 6.5 SP2
    • CSRF protection bypass
    • Tamper with the web interface due to cross-site scripting
    • Unauthorized access to the web interface due to authorization bypass
    • Privilege escalation due to authentication bypass and SSRF
    • Arbitrary code execution due to CSRF protection and authentication bypass
    • Arbitrary command execution

Solution

Update the Software
Apply the appropriate update according to the information provided by the developer.

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia

Update History

2022/03/16
Fixed the typo in the title.