Published:2019/11/08  Last Updated:2019/11/08

JVNVU#91743132
Multiple Trend Micro products vulnerable to directory traversal

Overview

Multiple Trend Micro products vulnerable to directory traversal.

Products Affected

  • Trend Micro Apex One 2019
  • Trend Micro OfficeScan XG SP1, XG and 11.0 SP1
  • Trend Micro Worry-Free Business Security 10.0 SP1, 10.0 and 9.5
Developer states that Trend Micro Apex One-as-a-Service and Worry-Free Services are not affected by this vulnerability.

Description

Trend Micro Apex One, Trend Micro OfficeScan and Trend Micro Worry-Free Business Security provided by Trend Micro Incorporated contains a directory traversal vulnerability (CWE-22).

Impact

A remote attacker may bypass authentication and log on to affected product's management console as a root user.

Solution

Apply the Patch
Apply the patch according to the information provided by the developer.
The developer has released the following patches to address this vulnerability.

Trend Micro Apex One:

  • Trend Micro Apex One Critical Patch (Build 2049)
Trend Micro OfficeScan:
  • Trend Micro OfficeScan XG Service Pack 1 Critical Patch (Build 5427)
  • Trend Micro OfficeScan XG Critical Patch (Build 1962)
  • Trend Micro OfficeScan 11.0 Service Pack 1 Critical Patch (Build 6638)
Trend Micro Worry-Free Business Security:
  • Trend Micro Worry-Free Business Security 10.0 Service Pack 1 Patch (Build 2179)
  • Trend Micro Worry-Free Business Security 10.0 Patch (Build 1569)
  • Trend Micro Worry-Free Business Security 9.5 Critical Patch (Build 1513)

Vendor Status

Vendor Link
Trend Micro Incorporated SECURITY BULLETIN: Trend Micro Commercial Endpoints Root Login Bypass with Directory Traversal Vulnerability

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score: 8.8
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:A/AC:L/Au:N/C:P/I:P/A:P
Base Score: 5.8
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Trend Micro Incorporated coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2019-18189
JVN iPedia