JVNVU#93491927
Multiple vulnerabilities in Apex One, Apex One as a Service and OfficeScan
Critical

Overview

Apex One, Apex One as a Service and OfficeScan provided by Trend Micro Incorporated contain multiple vulnerabilities.

Products Affected

CVE-2020-24556, CVE-2020-24557, CVE-2020-24558, CVE-2020-24562

• Apex One On Premise (2019) (for Windows)
• Apex One SaaS (for Windows)
• OfficeScan XG SP1 (for Windows)

• Apex One On Premise (2019) (for macOS)
• Apex One SaaS (for macOS)
• OfficeScan XG SP1 (for macOS)

Description

Apex One, Apex One as a Service and OfficeScan provided by Trend Micro Incorporated contain multiple vulnerabilities listed below.

• Improper Hard links Handling (CWE-59) - CVE-2020-24556, CVE-2020-24559, CVE-2020-24562

  CVSS v3

  CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

  Base Score: 7.8

• Improper Access Control (CWE-284) - CVE-2020-24557

  CVSS v3

  CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

  Base Score: 7.8

• Out-of-Bounds Read (CWE-125) - CVE-2020-24558

  CVSS v3

  CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

  Base Score: 5.5

Impact

• An attacker may obtain administrative privileges of the product and execute arbitrary code - CVE-2020-24556, CVE-2020-24559, CVE-2020-24562
• An attacker may disable the security functions of the product by manipulating particular folders, abuse specific Windows functions, or conduct privilege escalation - CVE-2020-24557
• An attacker may crash the product's multiple processes - CVE-2020-24558

Solution

Apply the Patch
Apply the patch according to the information provided by the developer.
The developer has released the patches listed below that contain a fix for these vulnerabilities.

• Apex One On Premise (2019) (for Windows)
  • Patch 3 b8378
• Apex One On Premise (2019) (for macOS)
  • macOS Patch 1
• Apex One SaaS (for Windows), Apex One SaaS (for macOS)
  • Aug 2020 Monthly Patch (2008)
• OfficeScan (for Windows), OfficeScan (for macOS)
  • XG SP1 CP5698