JVNVU#93693807
Trend Micro Deep Security Agent for Windows and Deep Security Notifier on DSVA vulnerable to OS command injection
Overview
Trend Micro Incorporated has released the security updates for Deep Security Agent (for Windows) and Deep Security Notifier on DSVA (for Windows VM).
Products Affected
- Deep Security Agent (for Windows) versions prior to 20.0.1-21510
- Deep Security Notifier on DSVA (for Windows VM) version 20.0.0-8438 only
Description
Trend Micro Incorporated has released the security updates for Deep Security Agent (for Windows) and Deep Security Notifier on DSVA (for Windows VM) to fix an OS command injection vulnerability (CWE-78, CVE-2024-48903).
Impact
A non-administrative user of the Windows system where the affected product is installed may execute arbitrary code with SYSTEM privilege.
Under certain conditions, and if the attacking user being granted the relevant domain access, command injection attack may be executed to other Windows systems in the same domain.
Solution
Update the software
Update Deep Security Agent to the latest version.
The vulnerability has been addressed at the following version.
- Deep Security Agent 20.0.1-21510 (20 LTS Update 2024-10-16)
For more details, refer to the information provided by the developer.
Vendor Status
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solution through JVN.