Published:2021/05/10  Last Updated:2021/05/10

JVNVU#97581596
Multiple vulnerabilities in Trend Micro Apex One, OfficeScan, and Worry-Free Business Security series

Overview

Trend Micro Apex One, OfficeScan, and Worry-Free Business Security series provided by Trend Micro Incorporated contain multiple vulnerabilities.

Products Affected

  • Apex One 2019, SaaS
    • CVE-2021-25228, CVE-2021-25229, CVE-2021-25230, CVE-2021-25231, CVE-2021-25232, CVE-2021-25233, CVE-2021-25234, CVE-2021-25235, CVE-2021-25237, CVE-2021-25239, CVE-2021-25240, CVE-2021-25241, CVE-2021-25242, CVE-2021-25243, CVE-2021-25246, CVE-2021-25248, CVE-2021-25249
  • OfficeScan XG SP1
    • CVE-2021-25228, CVE-2021-25229, CVE-2021-25230, CVE-2021-25231, CVE-2021-25232, CVE-2021-25233, CVE-2021-25234, CVE-2021-25235, CVE-2021-25236, CVE-2021-25238, CVE-2021-25239, CVE-2021-25240, CVE-2021-25242, CVE-2021-25243, CVE-2021-25246, CVE-2021-25248, CVE-2021-25249
  • Worry-Free Business Security 10 SP1, Worry-Free Business Security Services
    • CVE-2021-25228, CVE-2021-25231, CVE-2021-25233, CVE-2021-25234, CVE-2021-25236, CVE-2021-25238, CVE-2021-25239, CVE-2021-25240, CVE-2021-25241, CVE-2021-25242, CVE-2021-25243, CVE-2021-25244, CVE-2021-25245, CVE-2021-25246, CVE-2021-25248, CVE-2021-25249

Description

Trend Micro Apex One, OfficeScan, and Worry-Free Business Security series provided by Trend Micro Incorporated contain multiple vulnerabilities listed below.

  • Improper Access Control (CWE-284) - CVE-2021-25228, CVE-2021-25229, CVE-2021-25230, CVE-2021-25231, CVE-2021-25232, CVE-2021-25233, CVE-2021-25234, CVE-2021-25235, CVE-2021-25237, CVE-2021-25238, CVE-2021-25239, CVE-2021-25240, CVE-2021-25242, CVE-2021-25243, CVE-2021-25244, CVE-2021-25245
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Base Score: 5.3
  • Server-Side Request Forgery (CWE-918) - CVE-2021-25236, CVE-2021-25241
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Base Score: 5.3
  • Improper Access Control (CWE-284) - CVE-2021-25246
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Base Score: 6.5
  • Out-of-bounds Read (CWE-125) - CVE-2021-25248
    CVSS v3 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score: 2.5
  • Out-of-bounds Write (CWE-787) - CVE-2021-25249
    CVSS v3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score: 7.8

Impact

  • A remote unauthenticated attacker may obtain information of the server and agents - CVE-2021-25228, CVE-2021-25229, CVE-2021-25230, CVE-2021-25231, CVE-2021-25232, CVE-2021-25233, CVE-2021-25234, CVE-2021-25235, CVE-2021-25237, CVE-2021-25238, CVE-2021-25239, CVE-2021-25240, CVE-2021-25242, CVE-2021-25243, CVE-2021-25244, CVE-2021-25245
  • A remote unauthenticated attacker may obtain information of network topology a server can communicate with - CVE-2021-25236, CVE-2021-25241
  • A remote unauthenticated attacker may create a bogue agent on an affected server and make valid configuration queries - CVE-2021-25246
  • An authenticated attacker may obtain sensitive information of a named pipe - CVE-2021-25248
  • An authenticated attacker may escalate privileges when installing an affected product - CVE-2021-25249

Solution

Apply the patch and run the tool
Apply the appropriate patch according to the information provided by the developer. The developer has released the patches listed below that contain a fix for these vulnerabilities.

  • Apex One 2019
    • CP9167
  • OfficeScan XG SP1
    • CP6040
  • Worry-Free Business Security 10 SP1
    • Patch 2274
For on-premise versions of Apex One and OfficeScan XG SP1, run the supplemental configuration tool "EAFCUA tool" provided by the developer on the management server after applying the patch. Please refer to the developer's advisories (Apex One, OfficeScan XG SP1) for more information.

The same issue in Apex One SaaS and Worry-Free Business Security Services is already fixed in the 2021 January updates.

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.