Published:2021/07/29  Last Updated:2021/07/29

JVNVU#93876919
Multiple vulnerabilities in multiple Trend Micro Endpoint security products for enterprises
Critical

Overview

Multiple Endpoint security products for enterprises provided by Trend Micro Incorporated contain multiple vulnerabilities.

Products Affected

CVE-2021-32464

  • Apex One On Premise (2019) prior to Build 9601
  • Apex One as a Service prior to Build 202107
  • Worry-Free Business Security Services prior to 6.7.1538 / 14.2.1295
CVE-2021-32465
  • Apex One On Premise (2019) prior to Build 9601
  • Apex One as a Service prior to Build 202107
CVE-2021-36741, CVE-2021-36742
  • Apex One On Premise (2019) prior to Build 9601
  • Apex One as a Service prior to Build 202107
  • Worry-Free Business Security 10 SP1 prior to Build 2329

Description

Multiple Endpoint security products for enterprises provided by Trend Micro Incorporated contain multiple vulnerabilities listed below.

  • Incorrect Permission Assignment (CWE-732) - CVE-2021-32464
    CVSS v3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score: 7.8
  • Improper Preservation of Permissions (CWE-281) - CVE-2021-32465
    CVSS v3 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score: 7.5
  • Improper Input Validation (CWE-20) - CVE-2021-36741
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H Base Score: 7.1
  • Improper Input Validation (CWE-20) - CVE-2021-36742
    CVSS v3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score: 7.8
Trend Micro Incorporated states that attacks against CVE-2021-36741 and CVE-2021-36742 have been observed.

Impact

  • An attacker who can log in to the OS where the product is running may obtain SYSTEM privileges and as a result, a specific script may be altered - CVE-2021-32464
  • A remote attacker who can log in to the OS where the product is running may bypass login authentication - CVE-2021-32465
  • A remote attacker who can log in to the product may upload arbitrary files - CVE-2021-36741
  • An attacker who can log in to the OS where the product is running may obtain SYSTEM privileges - CVE-2021-36742

Solution

Apply the Patch
Apply the patch according to the information provided by the developer.
The developer has released the patches listed below that contain a fix for these vulnerabilities.

  • Apex One On Premise (2019) Critical Patch B9601
  • Worry-Free Business Security 10 SP1 Patch B2329
  • Worry-Free Business Security Services 6.7.1538 / 14.2.1295 and later

The issues in Apex One as a Service are already fixed in the July 21th, 2021 updates.

Apply the Workaround
Applying the following workaround may mitigate the impact of these vulnerabilities.

  • Permit access to the product to only trusted network

Vendor Status

Vendor Link
Trend Micro Incorporated SECURITY BULLETIN: July 28, 2021, Security Bulletin for Trend Micro Apex One and Apex One as a Service
SECURITY BULLETIN: July 28, 2021, Security Bulletin for Worry-Free Business Security
SECURITY BULLETIN: Trend Micro Worry-Free Business Security Services Incorrect Permission Assignment Privilege Escalation Vulnerability
[Alert] Apply the latest Critical Patches; An attack exploiting the vulnerabilities (CVE-2021-36741, CVE-2021-36742) in Trend Micro products has been observed (Text in Japanese)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.

Other Information

JPCERT Alert JPCERT-AT-2021-0033
Alert Regarding Vulnerabilities in Trend Micro Multiple Endpoint Security Products for Enterprises
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia

Update History

2021/07/29
Information under the section "Other Information" was updated.