Published:2023/09/19  Last Updated:2023/11/10

JVNVU#90967486
Trend Micro Endpoint security products for enterprises vulnerable to arbitrary code execution
Critical

Overview

Trend Micro Endpoint security products for enterprises contain an arbitrary code execution vulnerability.

Products Affected

  • Trend Micro Apex One On Premise (2019)
  • Trend Micro Apex One as a Service
  • Worry-Free Business Security 10.0 SP1
  • Worry-Free Business Security Services (SaaS)

Description

Trend Micro Endpoint security products for enterprises provided by Trend Micro Incorporated contain an arbitrary code execution vulnerability (CWE-94, CVE-2023-41179) in 3rd Party AV Uninstaller Module.

Trend Micro Incorporated states that an attack exploiting this vulnerability has been observed.

Impact

An attacker who can log in to the product's administration console may execute an arbitrary code with the system privilege on the PC where the security agent is installed.

Solution

Apply the Patch
Apply the patch according to the information provided by the developer.
The developer has released patches listed below that contain a fix for this vulnerability.

  • Trend Micro Apex One On Premise (2019) SP1 Patch 1 (b12380)
  • Worry-Free Business Security 10.0 SP1 Patch 2495
The issue is fixed in the July 2023 Monthly Patch (202307) Agent Version: 14.0.12637 for Trend Micro Apex One as a Service, and in July 31, 2023  Monthly Maintenance Release for Worry-Free Business Security Services (SaaS)

Apply the Workaround
Applying the following workaround may mitigate the impact of this vulnerability.
  • Permit access to the product's administration console to only trusted network

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Base Score: 9.1
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)

Credit

Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solution through JVN.

Other Information

JPCERT Alert JPCERT-AT-2023-0021
Alert Regarding Vulnerability in Trend Micro Multiple Endpoint Security Products for Enterprises
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia

Update History

2023/09/19
Information under the section "Other Information" was updated.
2023/09/20
Information under the section "Vendor Status" was updated.
2023/11/10
Fixed typo in the patch name under the section "Solution".