Published:2023/06/13  Last Updated:2023/06/13

JVNVU#91852506
Security updates for multiple Trend Micro products for enterprises (June 2023)

Overview

Trend Micro Incorporated has released security updates for multiple Trend Micro products for enterprises.

Products Affected

  • Mobile Security (Enterprise) 9.8 SP5
  • Apex One 2019 (On-prem)
  • Apex One as a Service
  • Apex Central 2019 (On-prem)

Description

Trend Micro Incorporated has released security updates for multiple Trend Micro products for enterprises. For more details, refer to the information provided by the developer.

Impact

  • Mobile Security (Enterprise) 9.8 SP5
    • Arbitrary file deletion due to unauthenticated path traversal - CVE-2023-32521
    • Arbitrary file deletion due to authenticated path traversal - CVE-2023-32522
    • Unauthorized access due to authentication bypass - CVE-2023-32523, CVE-2023-32524
    • Unrestricted file upload - CVE-2023-32525, CVE-2023-32526
    • Arbitrary command execution due to local file inclusion - CVE-2023-32527, CVE-2023-32528
  • Apex One 2019 (On-prem), Apex One as a Service
    • Registry key removal due to privilege escalation - CVE-2023-30902
    • Information disclosure due to improper access control - CVE-2023-32552, CVE-2023-32553
    • Privilege escalation due to Time-of-check Time-of-use (TOCTOU) vulnerability - CVE-2023-32554, CVE-2023-32555
    • Information disclosure due to link following vulnerability - CVE-2023-32556
    • Code execution due to path traversal vulnerability - CVE-2023-32557
    • Privilege escalation due to untrusted search path vulnerability - CVE-2023-34144, CVE-2023-34145
    • Privilege escalation due to exposure of dangerous method/function vulnerability - CVE-2023-34146, CVE-2023-34147, CVE-2023-34148
  • Apex Central 2019 (On-prem)
    • Code execution due to SQL injection - CVE-2023-32529, CVE-2023-32530
    • Code execution due to XSS - CVE-2023-32531, CVE-2023-32532, CVE-2023-32533, CVE-2023-32534, CVE-2023-32535
    • Reflected XSS under authenticated conditions due to user input validation and sanitization issues - CVE-2023-32536, CVE-2023-32537, CVE-2023-32604, CVE-2023-32605

Solution

Update the Software and Apply Additional Configuration
Update the software to the latest version according to the information provided by the developer.
The issues in Apex One as a Service are fixed in the April and May 2023 Maintenance.

After the updates, apply the additional configuration as a countermeasure against CVE-2023-32552 and CVE-2023-32553.
For details, refer to the information provided by the developer.

Vendor Status

Vendor Link
Trend Micro Incorporated SECURITY BULLETIN: May 2023 Security Bulletin for Trend Micro Mobile Security (Enterprise)
SECURITY BULLETIN: May 2023 Security Bulletin for Trend Micro Apex Central
SECURITY BULLETIN: May 16, 2023 Security Bulletin for Trend Micro Apex One
SECURITY BULLETIN: June 6, 2023 Security Bulletin for Trend Micro Apex One

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia