SOCRadar® Cyber Intelligence Inc. | Trend Micro Warnes for Actively Exploited RCE Flaw in Apex One
Home

Resources

Blog
Sep 16, 2022
3 Mins Read

Trend Micro Warnes for Actively Exploited RCE Flaw in Apex One

Trend Micro recently released a patch for an actively exploited flaw in its endpoint security platform, Apex One. The security software provider published an advisory to report six vulnerabilities and advised their customers to apply the patches immediately. 

The vulnerabilities affect Apex One 2019 (On-prem) and Apex One SaaS products for Windows operating systems.

At Least One Exploitation Attempt in the Wild

There are indications of CVE-2022-40139(CVSS score: 7.2) being actively exploited in the wild. Attackers can remotely execute arbitrary code on computers running unpatched systems due to the vulnerability. It can only be exploited by an attacker who has administration console access. 

The version rollback functionality is the main cause, which lets Apex One agents download untrusted components. 

It is also important to note that other flaws fixed in this release might give users the administrative access needed to exploit CVE-2022-40139. However, there is no evidence that the remaining CVEs addressed in this release have been abused.

Other High Severity Flaws in Apex One

The highest CVSS score in the advisory is 8.2, which is CVE-2022-40144. According to its description, the vulnerability could allow an attacker to falsify request parameters and eventually bypass login authentication

CVE-2022-40142 and CVE-2022-40143 are also flaws that have high severity ratings. They carry the risk of privilege escalation as they allow local attackers to abuse directories. The two flaws require an attacker to initially acquire low-privileged code execution. 

Complete list of vulnerabilities addressed in Trend Micro’s advisory:

CVE

Description

CVSS

CVE-2022-40139

Improper Validation of Rollback Mechanism Components RCE Vulnerability 

7.2

CVE-2022-40140

Origin Validation Error Denial-of-Service Vulnerability

5.5

CVE-2022-40141

Information disclosure vulnerability

5.6

CVE-2022-40142

Agent Link Following Local Privilege Escalation Vulnerability

7.8

CVE-2022-40143

Link Following Local Privilege Escalation Vulnerability

7.3

CVE-2022-40144

Login authentication bypass vulnerability

8.2

Mitigations 

An attacker often needs access to a vulnerable machine, whether physically or remotely, to exploit this kind of vulnerability. 

Customers are advised to assess remote access to essential systems, check current policies and perimeter security, and apply patches and updated solutions on time. 

Users need to update their installation as soon as possible to Apex One Service Pack 1 (Server Build 11092 and Agent Build 11088).