Published:2021/04/21  Last Updated:2021/04/21

JVNVU#93491927
Multiple vulnerabilities in Apex One, Apex One as a Service and OfficeScan
Critical

Overview

Apex One, Apex One as a Service and OfficeScan provided by Trend Micro Incorporated contain multiple vulnerabilities.

Products Affected

CVE-2020-24556, CVE-2020-24557, CVE-2020-24558, CVE-2020-24562

  • Apex One On Premise (2019) (for Windows)
  • Apex One SaaS (for Windows)
  • OfficeScan XG SP1 (for Windows)
CVE-2020-24559
  • Apex One On Premise (2019) (for macOS)
  • Apex One SaaS (for macOS)
  • OfficeScan XG SP1 (for macOS)

Description

Apex One, Apex One as a Service and OfficeScan provided by Trend Micro Incorporated contain multiple vulnerabilities listed below.

  • Improper Hard links Handling (CWE-59) - CVE-2020-24556, CVE-2020-24559, CVE-2020-24562
    CVSS v3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score: 7.8
  • Improper Access Control (CWE-284) - CVE-2020-24557
    CVSS v3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score: 7.8
  • Out-of-Bounds Read (CWE-125) - CVE-2020-24558
    CVSS v3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Base Score: 5.5
Trend Micro Incorporated states that attacks against CVE-2020-24557 has been observed.

Impact

  • An attacker may obtain administrative privileges of the product and execute arbitrary code - CVE-2020-24556, CVE-2020-24559, CVE-2020-24562
  • An attacker may disable the security functions of the product by manipulating particular folders, abuse specific Windows functions, or conduct privilege escalation - CVE-2020-24557
  • An attacker may crash the product's multiple processes - CVE-2020-24558

Solution

Apply the Patch
Apply the patch according to the information provided by the developer.
The developer has released the patches listed below that contain a fix for these vulnerabilities.

  • Apex One On Premise (2019) (for Windows)
    • Patch 3 b8378
  • Apex One On Premise (2019) (for macOS)
    • macOS Patch 1
  • Apex One SaaS (for Windows), Apex One SaaS (for macOS)
    • Aug 2020 Monthly Patch (2008)
  • OfficeScan (for Windows), OfficeScan (for macOS)
    • XG SP1 CP5698

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.

Other Information

JPCERT Alert JPCERT-AT-2021-0020
Alert Regarding Vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan (CVE-2020-24557)
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2020-24556
CVE-2020-24557
CVE-2020-24558
CVE-2020-24559
CVE-2020-24562
JVN iPedia

Update History

2021/04/21
Information under the section "Other Information" was updated.