Trend Micro Warnes for Actively Exploited RCE Flaw in Apex One
Trend Micro recently released a patch for an actively exploited flaw in its endpoint security platform, Apex One. The security software provider published an advisory to report six vulnerabilities and advised their customers to apply the patches immediately.
The vulnerabilities affect Apex One 2019 (On-prem) and Apex One SaaS products for Windows operating systems.
At Least One Exploitation Attempt in the Wild
There are indications of CVE-2022-40139(CVSS score: 7.2) being actively exploited in the wild. Attackers can remotely execute arbitrary code on computers running unpatched systems due to the vulnerability. It can only be exploited by an attacker who has administration console access.
The version rollback functionality is the main cause, which lets Apex One agents download untrusted components.
It is also important to note that other flaws fixed in this release might give users the administrative access needed to exploit CVE-2022-40139. However, there is no evidence that the remaining CVEs addressed in this release have been abused.
Other High Severity Flaws in Apex One
The highest CVSS score in the advisory is 8.2, which is CVE-2022-40144. According to its description, the vulnerability could allow an attacker to falsify request parameters and eventually bypass login authentication.
CVE-2022-40142 and CVE-2022-40143 are also flaws that have high severity ratings. They carry the risk of privilege escalation as they allow local attackers to abuse directories. The two flaws require an attacker to initially acquire low-privileged code execution.
Complete list of vulnerabilities addressed in Trend Micro’s advisory:
Improper Validation of Rollback Mechanism Components RCE Vulnerability
Origin Validation Error Denial-of-Service Vulnerability
Information disclosure vulnerability
Agent Link Following Local Privilege Escalation Vulnerability
Link Following Local Privilege Escalation Vulnerability
Login authentication bypass vulnerability
An attacker often needs access to a vulnerable machine, whether physically or remotely, to exploit this kind of vulnerability.
Customers are advised to assess remote access to essential systems, check current policies and perimeter security, and apply patches and updated solutions on time.
Users need to update their installation as soon as possible to Apex One Service Pack 1 (Server Build 11092 and Agent Build 11088).