JVNVU#98100897: Multiple vulnerabilities in Trend Micro Worry-Free Business Security

Overview

Trend Micro Worry-Free Business Security contains multiple vulnerabilities.

Products Affected

Trend Micro Worry-Free Business Security 10.0 SP1
Trend Micro Worry-Free Business Security 9.5
Trend Micro Worry-Free Business Security 9.0 SP3

Description

Trend Micro Worry-Free Business Security contains multiple vulnerabilities listed below.

Integrity check at downloading components to agents may be bypassed - CVE-2020-8468

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Base Score: 8.0

CVSS v2 AV:N/AC:H/Au:S/C:P/I:P/A:P Base Score: 4.6
Arbitrary files on the administration server may be deleted with SYSTEM privileges - CVE-2020-8470

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H Base Score: 10.0

CVSS v2 AV:N/AC:L/Au:N/C:N/I:C/A:C Base Score: 9.4
Arbitrary code may be executed remotely with SYSTEM privileges by abusing vulnerable DLL on the administration server - CVE-2020-8598

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Base Score: 10.0

CVSS v2 AV:N/AC:L/Au:N/C:C/I:C/A:C Base Score: 10.0
Directory traversal (CWE-22) - CVE-2020-8600

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H Base Score: 8.6

CVSS v2 AV:N/AC:L/Au:N/C:P/I:P/A:P Base Score: 7.5

Trend Micro Incorporated states that attacks against and CVE-2020-8468 has been observed.

Impact

A remote attacker may alter components on Worry-Free Business Security - CVE-2020-8468
A remote attacker may delete arbitrary files on the server - CVE-2020-8470
A remote attacker may execute arbitrary code - CVE-2020-8598
A remote attacker may manipulate specific files on the server and bypass authentication - CVE-2020-8600

Solution

Apply the Patch
Apply the appropriate patch according to the information provided by the developer.
The developer has released the patches listed below that contain the countermeasure to the vulnerabilities.

Trend Micro Worry-Free Business Security 10.0 SP1 Patch 2190
Trend Micro Worry-Free Business Security 9.5 CP 1525
Trend Micro Worry-Free Business Security 9.0 SP3 CP 4417

The developer states that the users who still use the obsolte versions that are no longer supported are recommended to upgrade to the latetst supported versions.

Apply a Workaround
The following workaround may mitigate the impacts of the vulnerabilities.

Block access to the server from untrusted network

Vendor Status

Vendor	Link
Trend Micro Incorporated	SECURITY BULLETIN: Multiple Critical Vulnerabilities in Trend Micro Worry-Free Business Security

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2020-8468
	CVE-2020-8470
	CVE-2020-8598
	CVE-2020-8600
JVN iPedia

CVSS v3	CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H	Base Score: 8.0
CVSS v2	AV:N/AC:H/Au:S/C:P/I:P/A:P	Base Score: 4.6

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H	Base Score: 10.0
CVSS v2	AV:N/AC:L/Au:N/C:N/I:C/A:C	Base Score: 9.4

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H	Base Score: 10.0
CVSS v2	AV:N/AC:L/Au:N/C:C/I:C/A:C	Base Score: 10.0

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H	Base Score: 8.6
CVSS v2	AV:N/AC:L/Au:N/C:P/I:P/A:P	Base Score: 7.5

JVNVU#98100897 Multiple vulnerabilities in Trend Micro Worry-Free Business Security Critical