Published:2021/01/14 Last Updated:2021/01/14
JVNVU#92683420
Multiple vulnerabilities in Trend Micro Apex One and OfficeScan
Overview
Trend Micro Apex One and OfficeScan contain multiple vulnerabilities.
Products Affected
- Trend Micro Apex One (on premise) 2019 CP8422 (prior to Build 8400)
- Trend Micro Apex One (SaaS) as a Service
- Trend Micro OfficeScan XG SP1 prior to CP 5702
Description
Trend Micro Apex One and OfficeScan contain multiple vulnerabilities listed below.
- Authentication Bypass (CWE-287) - CVE-2020-24563
CVSS v3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score: 7.8 CVSS v2 AV:L/AC:L/Au:N/C:P/I:P/A:P Base Score: 4.6 - Out-of-bounds Read (CWE-125) - CVE-2020-24564, CVE-2020-24565, CVE-2020-25770, CVE-2020-25771, CVE-2020-25772
CVSS v3 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H Base Score: 5.6 CVSS v2 AV:L/AC:L/Au:S/C:P/I:P/A:P Base Score: 4.3 - Double Free (CWE-415) - CVE-2020-25773
CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score: 7.8 CVSS v2 AV:L/AC:L/Au:N/C:P/I:P/A:P Base Score: 4.6 - Out-of-bounds Read (CWE-125) - CVE-2020-25774
CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Base Score: 3.3 CVSS v2 AV:L/AC:L/Au:N/C:P/I:N/A:N Base Score: 2.1 - Privilege Escalation (CWE-268) - CVE-2020-28572
CVSS v3 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L Base Score: 5.7 CVSS v2 AV:L/AC:L/Au:S/C:P/I:P/A:P Base Score: 4.3 - IncorrectT Privilege Assignment (CWE-266) - CVE-2020-28573, CVE-2020-28576, CVE-2020-28577, CVE-2020-28582, CVE-2020-28583
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Base Score: 5.3 CVSS v2 AV:L/AC:L/Au:N/C:N/I:N/A:P Base Score: 2.1
Impact
- A local attacker may obtain unauthorized privileges or execute arbitrary code by manipulating the agent unload option process - CVE-2020-24563
- An attacker without administrative privileges may obtain sensitive information in an agent-installed environment - CVE-2020-24564, CVE-2020-24565, CVE-2020-25770, CVE-2020-25771, CVE-2020-25772
- A local attacker may execute arbitrary code on the administrative server - CVE-2020-25773
- An attacker without administrative privileges may obtain sensitive information on the administrative server - CVE-2020-25774
- A user without the appropriate privileges may execute a malicious code when reinstalling the agent - CVE-2020-28572
- A remote attaker may obtain the total number of the agents without being authenticated - CVE-2020-28573, CVE-2020-28576, CVE-2020-28577, CVE-2020-28582, CVE-2020-28583
Solution
Apply the Patch
Apply the appropriate patch according to the information provided by the developer.
The developer has released the patches listed below that contain the countermeasure for the vulnerabilities.
- Apex One 2019 CP8422 (Build 8400 and later)
- OfficeScan XG SP1 CP 5702 and later
Vendor Status
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of its solution through JVN.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2020-24563 |
|
CVE-2020-24564 |
|
|
CVE-2020-24565 |
|
|
CVE-2020-25770 |
|
|
CVE-2020-25771 |
|
|
CVE-2020-25772 |
|
|
CVE-2020-25773 |
|
|
CVE-2020-25774 |
|
|
CVE-2020-28572 |
|
|
CVE-2020-28573 |
|
|
CVE-2020-28576 |
|
|
CVE-2020-28577 |
|
|
CVE-2020-28582 |
|
|
CVE-2020-28583 |
|
| JVN iPedia |
|