JVNVU#97581596
Multiple vulnerabilities in Trend Micro Apex One, OfficeScan, and Worry-Free Business Security series

Overview

Trend Micro Apex One, OfficeScan, and Worry-Free Business Security series provided by Trend Micro Incorporated contain multiple vulnerabilities.

Products Affected

• Apex One 2019, SaaS
  • CVE-2021-25228, CVE-2021-25229, CVE-2021-25230, CVE-2021-25231, CVE-2021-25232, CVE-2021-25233, CVE-2021-25234, CVE-2021-25235, CVE-2021-25237, CVE-2021-25239, CVE-2021-25240, CVE-2021-25241, CVE-2021-25242, CVE-2021-25243, CVE-2021-25246, CVE-2021-25248, CVE-2021-25249
• OfficeScan XG SP1
  • CVE-2021-25228, CVE-2021-25229, CVE-2021-25230, CVE-2021-25231, CVE-2021-25232, CVE-2021-25233, CVE-2021-25234, CVE-2021-25235, CVE-2021-25236, CVE-2021-25238, CVE-2021-25239, CVE-2021-25240, CVE-2021-25242, CVE-2021-25243, CVE-2021-25246, CVE-2021-25248, CVE-2021-25249
• Worry-Free Business Security 10 SP1, Worry-Free Business Security Services
  • CVE-2021-25228, CVE-2021-25231, CVE-2021-25233, CVE-2021-25234, CVE-2021-25236, CVE-2021-25238, CVE-2021-25239, CVE-2021-25240, CVE-2021-25241, CVE-2021-25242, CVE-2021-25243, CVE-2021-25244, CVE-2021-25245, CVE-2021-25246, CVE-2021-25248, CVE-2021-25249

Description

Trend Micro Apex One, OfficeScan, and Worry-Free Business Security series provided by Trend Micro Incorporated contain multiple vulnerabilities listed below.

• Improper Access Control (CWE-284) - CVE-2021-25228, CVE-2021-25229, CVE-2021-25230, CVE-2021-25231, CVE-2021-25232, CVE-2021-25233, CVE-2021-25234, CVE-2021-25235, CVE-2021-25237, CVE-2021-25238, CVE-2021-25239, CVE-2021-25240, CVE-2021-25242, CVE-2021-25243, CVE-2021-25244, CVE-2021-25245

  CVSS v3

  CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

  Base Score: 5.3

• Server-Side Request Forgery (CWE-918) - CVE-2021-25236, CVE-2021-25241

  CVSS v3

  CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

  Base Score: 5.3

• Improper Access Control (CWE-284) - CVE-2021-25246

  CVSS v3

  CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

  Base Score: 6.5

• Out-of-bounds Read (CWE-125) - CVE-2021-25248

  CVSS v3

  CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

  Base Score: 2.5

• Out-of-bounds Write (CWE-787) - CVE-2021-25249

  CVSS v3

  CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

  Base Score: 7.8

Impact

• A remote unauthenticated attacker may obtain information of the server and agents - CVE-2021-25228, CVE-2021-25229, CVE-2021-25230, CVE-2021-25231, CVE-2021-25232, CVE-2021-25233, CVE-2021-25234, CVE-2021-25235, CVE-2021-25237, CVE-2021-25238, CVE-2021-25239, CVE-2021-25240, CVE-2021-25242, CVE-2021-25243, CVE-2021-25244, CVE-2021-25245
• A remote unauthenticated attacker may obtain information of network topology a server can communicate with - CVE-2021-25236, CVE-2021-25241
• A remote unauthenticated attacker may create a bogue agent on an affected server and make valid configuration queries - CVE-2021-25246
• An authenticated attacker may obtain sensitive information of a named pipe - CVE-2021-25248
• An authenticated attacker may escalate privileges when installing an affected product - CVE-2021-25249

Solution

Apply the patch and run the tool
Apply the appropriate patch according to the information provided by the developer. The developer has released the patches listed below that contain a fix for these vulnerabilities.

• Apex One 2019
  • CP9167
• OfficeScan XG SP1
  • CP6040
• Worry-Free Business Security 10 SP1
  • Patch 2274

For on-premise versions of Apex One and OfficeScan XG SP1, run the supplemental configuration tool "EAFCUA tool" provided by the developer on the management server after applying the patch. Please refer to the developer's advisories (Apex One, OfficeScan XG SP1) for more information.

The same issue in Apex One SaaS and Worry-Free Business Security Services is already fixed in the 2021 January updates.