Published:2021/05/10 Last Updated:2021/05/10
JVNVU#97581596
Multiple vulnerabilities in Trend Micro Apex One, OfficeScan, and Worry-Free Business Security series
Overview
Trend Micro Apex One, OfficeScan, and Worry-Free Business Security series provided by Trend Micro Incorporated contain multiple vulnerabilities.
Products Affected
- Apex One 2019, SaaS
- CVE-2021-25228, CVE-2021-25229, CVE-2021-25230, CVE-2021-25231, CVE-2021-25232, CVE-2021-25233, CVE-2021-25234, CVE-2021-25235, CVE-2021-25237, CVE-2021-25239, CVE-2021-25240, CVE-2021-25241, CVE-2021-25242, CVE-2021-25243, CVE-2021-25246, CVE-2021-25248, CVE-2021-25249
- OfficeScan XG SP1
- CVE-2021-25228, CVE-2021-25229, CVE-2021-25230, CVE-2021-25231, CVE-2021-25232, CVE-2021-25233, CVE-2021-25234, CVE-2021-25235, CVE-2021-25236, CVE-2021-25238, CVE-2021-25239, CVE-2021-25240, CVE-2021-25242, CVE-2021-25243, CVE-2021-25246, CVE-2021-25248, CVE-2021-25249
- Worry-Free Business Security 10 SP1, Worry-Free Business Security Services
- CVE-2021-25228, CVE-2021-25231, CVE-2021-25233, CVE-2021-25234, CVE-2021-25236, CVE-2021-25238, CVE-2021-25239, CVE-2021-25240, CVE-2021-25241, CVE-2021-25242, CVE-2021-25243, CVE-2021-25244, CVE-2021-25245, CVE-2021-25246, CVE-2021-25248, CVE-2021-25249
Description
Trend Micro Apex One, OfficeScan, and Worry-Free Business Security series provided by Trend Micro Incorporated contain multiple vulnerabilities listed below.
- Improper Access Control (CWE-284) - CVE-2021-25228, CVE-2021-25229, CVE-2021-25230, CVE-2021-25231, CVE-2021-25232, CVE-2021-25233, CVE-2021-25234, CVE-2021-25235, CVE-2021-25237, CVE-2021-25238, CVE-2021-25239, CVE-2021-25240, CVE-2021-25242, CVE-2021-25243, CVE-2021-25244, CVE-2021-25245
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Base Score: 5.3 - Server-Side Request Forgery (CWE-918) - CVE-2021-25236, CVE-2021-25241
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Base Score: 5.3 - Improper Access Control (CWE-284) - CVE-2021-25246
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Base Score: 6.5 - Out-of-bounds Read (CWE-125) - CVE-2021-25248
CVSS v3 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score: 2.5 - Out-of-bounds Write (CWE-787) - CVE-2021-25249
CVSS v3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score: 7.8
Impact
- A remote unauthenticated attacker may obtain information of the server and agents - CVE-2021-25228, CVE-2021-25229, CVE-2021-25230, CVE-2021-25231, CVE-2021-25232, CVE-2021-25233, CVE-2021-25234, CVE-2021-25235, CVE-2021-25237, CVE-2021-25238, CVE-2021-25239, CVE-2021-25240, CVE-2021-25242, CVE-2021-25243, CVE-2021-25244, CVE-2021-25245
- A remote unauthenticated attacker may obtain information of network topology a server can communicate with - CVE-2021-25236, CVE-2021-25241
- A remote unauthenticated attacker may create a bogue agent on an affected server and make valid configuration queries - CVE-2021-25246
- An authenticated attacker may obtain sensitive information of a named pipe - CVE-2021-25248
- An authenticated attacker may escalate privileges when installing an affected product - CVE-2021-25249
Solution
Apply the patch and run the tool
Apply the appropriate patch according to the information provided by the developer. The developer has released the patches listed below that contain a fix for these vulnerabilities.
- Apex One 2019
- CP9167
- OfficeScan XG SP1
- CP6040
- Worry-Free Business Security 10 SP1
- Patch 2274
The same issue in Apex One SaaS and Worry-Free Business Security Services is already fixed in the 2021 January updates.
Vendor Status
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.
Other Information
JPCERT Alert |
|
JPCERT Reports |
|
CERT Advisory |
|
CPNI Advisory |
|
TRnotes |
|
CVE |
CVE-2021-25228 |
CVE-2021-25229 |
|
CVE-2021-25230 |
|
CVE-2021-25231 |
|
CVE-2021-25232 |
|
CVE-2021-25233 |
|
CVE-2021-25234 |
|
CVE-2021-25235 |
|
CVE-2021-25236 |
|
CVE-2021-25237 |
|
CVE-2021-25238 |
|
CVE-2021-25239 |
|
CVE-2021-25240 |
|
CVE-2021-25241 |
|
CVE-2021-25242 |
|
CVE-2021-25243 |
|
CVE-2021-25244 |
|
CVE-2021-25245 |
|
CVE-2021-25246 |
|
CVE-2021-25248 |
|
CVE-2021-25249 |
|
JVN iPedia |
|