Multiple vulnerabilities in Trend Micro Apex One
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 6 |
| CVE-ID | CVE-2023-25143 CVE-2023-25144 CVE-2023-25145 CVE-2023-25146 CVE-2023-25147 CVE-2023-25148 |
| CWE-ID | CWE-427 CWE-284 CWE-59 CWE-345 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Apex One Client/Desktop applications / Antivirus software/Personal firewalls |
| Vendor | Trend Micro |
Security Bulletin
This security bulletin contains information about 6 vulnerabilities.
1) Insecure DLL loading
EUVDB-ID: #VU72092
Risk: High
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2023-25143
CWE-ID:
CWE-427 - Uncontrolled Search Path Element
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to the application loads DLL libraries in an insecure manner in the Trend Micro Apex One Server installer. A remote attacker can place a specially crafted .dll file on a remote SMB fileshare, trick the victim into launching the installer file and execute arbitrary code on victim's system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsApex One: CP B2049 - 2019
CPE2.3- cpe:2.3:a:trend_micro:apex_one:CP B2049:*:*:*:*:*:*:*
- cpe:2.3:a:trend_micro:apex_one:CP B10071:*:*:*:*:*:*:*
- cpe:2.3:a:trend_micro:apex_one:SP1 b11128:*:*:*:*:*:*:*
https://success.trendmicro.com/dcx/s/solution/000292209?language=en_US
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper access control
EUVDB-ID: #VU72093
Risk: Low
CVSSv4.0: 5.8 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-25144
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper access restrictions in the Trend Micro Apex One agent. A local user can create arbitrary directories with arbitrary ownership and escalate privileges on the system.
Install updates from vendor's website.
Vulnerable software versionsApex One: CP B2049 - 2019
CPE2.3- cpe:2.3:a:trend_micro:apex_one:CP B2049:*:*:*:*:*:*:*
- cpe:2.3:a:trend_micro:apex_one:CP B10071:*:*:*:*:*:*:*
- cpe:2.3:a:trend_micro:apex_one:SP1 b11128:*:*:*:*:*:*:*
https://success.trendmicro.com/dcx/s/solution/000292209?language=en_US
https://www.zerodayinitiative.com/advisories/ZDI-23-171/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Link following
EUVDB-ID: #VU72094
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-25145
CWE-ID:
CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insecure link following within the NT Apex One RealTime Scan Service. A local user can create a specially crafted link to a critical file on the system and escalate privileges.
Install updates from vendor's website.
Vulnerable software versionsApex One: CP B2049 - 2019
CPE2.3- cpe:2.3:a:trend_micro:apex_one:CP B2049:*:*:*:*:*:*:*
- cpe:2.3:a:trend_micro:apex_one:CP B10071:*:*:*:*:*:*:*
- cpe:2.3:a:trend_micro:apex_one:SP1 b11128:*:*:*:*:*:*:*
https://success.trendmicro.com/dcx/s/solution/000292209?language=en_US
https://www.zerodayinitiative.com/advisories/ZDI-23-174/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Link following
EUVDB-ID: #VU72095
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-25146
CWE-ID:
CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insecure link following within the Apex One NT RealTime Scan service. A local user can create a specially crafted link to a critical file on the system and escalate privileges. MitigationInstall updates from vendor's website.
Vulnerable software versionsApex One: CP B2049 - 2019
CPE2.3- cpe:2.3:a:trend_micro:apex_one:CP B2049:*:*:*:*:*:*:*
- cpe:2.3:a:trend_micro:apex_one:CP B10071:*:*:*:*:*:*:*
- cpe:2.3:a:trend_micro:apex_one:SP1 b11128:*:*:*:*:*:*:*
https://success.trendmicro.com/dcx/s/solution/000292209?language=en_US
https://www.zerodayinitiative.com/advisories/ZDI-23-172/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Insufficient verification of data authenticity
EUVDB-ID: #VU72096
Risk: Low
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-25147
CWE-ID:
CWE-345 - Insufficient Verification of Data Authenticity
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insufficient verification of data authenticity. A local user with administrative privileges can inject a specially crafted .DLL file during the update process.
Install updates from vendor's website.
Vulnerable software versionsApex One: CP B2049 - 2019
CPE2.3- cpe:2.3:a:trend_micro:apex_one:CP B2049:*:*:*:*:*:*:*
- cpe:2.3:a:trend_micro:apex_one:CP B10071:*:*:*:*:*:*:*
- cpe:2.3:a:trend_micro:apex_one:SP1 b11128:*:*:*:*:*:*:*
https://success.trendmicro.com/dcx/s/solution/000292209?language=en_US
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Link following
EUVDB-ID: #VU72097
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-25148
CWE-ID:
CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insecure link following in the security agent. A local user can create a specially crafted link to a critical file on the system and escalate privileges. MitigationInstall updates from vendor's website.
Vulnerable software versionsApex One: CP B2049 - 2019
CPE2.3- cpe:2.3:a:trend_micro:apex_one:CP B2049:*:*:*:*:*:*:*
- cpe:2.3:a:trend_micro:apex_one:CP B10071:*:*:*:*:*:*:*
- cpe:2.3:a:trend_micro:apex_one:SP1 b11128:*:*:*:*:*:*:*
https://success.trendmicro.com/dcx/s/solution/000292209?language=en_US
https://www.zerodayinitiative.com/advisories/ZDI-23-173/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
