CVE-2020-8467, CVE-2020-8468: Vulnerabilities in Trend Micro Apex One and OfficeScan Exploited in the Wild

Attempts to exploit multiple vulnerabilities in Trend Micro Apex One and OfficeScan observed in the wild.

Contexte

On March 16, Trend Micro published a security bulletin to address five vulnerabilities in its endpoint security solutions, Apex One and OfficeScan, including two vulnerabilities that were exploited in the wild. Trend Micro Research is credited with the discovery of these vulnerabilities.

Analyse

Multiple vulnerabilities exploited in the wild

CVE-2020-8467 is a vulnerability in Apex One and OfficeScan in a component of a migration tool. A remote, authenticated attacker could exploit this vulnerability and gain arbitrary code execution on affected Apex One and OfficeScan installations.

CVE-2020-8468 is a vulnerability in the Apex One and OfficeScan agents as a result of a content validation escape. An authenticated attacker could exploit the vulnerability to “manipulate certain agent client components.”

Trend Micro says they are aware of “at least one active attempt” to exploit these vulnerabilities in the wild. Details about these exploitation attempts are unknown.

Additional critical vulnerabilities patched

In addition to these two vulnerabilities, Trend Micro patched three other critical vulnerabilities that do not require authentication.

CVE-2020-8470 is a vulnerability in Apex One and OfficeScan server due to the presence of a vulnerable service DLL file. Exploitation would grant an attacker SYSTEM level privileges, allowing them to delete any file on the server.

CVE-2020-8598 is another vulnerability in Apex One and OfficeScan server due to the presence of a vulnerable service DLL file. A remote, unauthenticated attacker could exploit this vulnerability and gain arbitrary code execution with SYSTEM level privileges.

CVE-2020-8599 is a vulnerability in Apex One and OfficeScan server due to the presence of a vulnerable executable file. Exploitation of this vulnerability would grant an attacker the ability to bypass ROOT login and allow them to "write arbitrary data to an arbitrary path" on the system.

Trend Micro assigned the maximum CVSS score of 10 to these three vulnerabilities, though they note they are unaware of attempts to exploit them in the wild.

Attackers target OfficeScan

This isn’t the first time attackers have targeted Trend Micro products. In October 2019, Trend Micro published a security bulletin for CVE-2019-18187, a directory traversal vulnerability in OfficeScan. According to their bulletin, they had observed active attempts to exploit the flaw in the wild.

Customers running these products should be aware that attackers will continue to exploit these vulnerabilities and search for other, undiscovered vulnerabilities in these products.

Démonstration de faisabilité (PoC)

At the time this blog post was published, there was no proof-of-concept code available for any of the vulnerabilities patched.

Solution

Trend Micro released fixes for Apex One and OfficeScan. The following table contains a list of affected versions and the associated patched version.

Customers running vulnerable versions of Apex One and OfficeScan should apply these patches as soon as possible.

Identification des systèmes affectés

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Où trouver plus d'informations

• March 16, 2020: Trend Micro Security Bulletin for Apex One and OfficeScan
• October 28, 2019: Trend Micro Security Bulletin for OfficeScan

Rejoignez l'équipe SRT de Tenable sur Tenable Community.

Apprenez-en plus sur Tenable, la première plateforme de Cyber Exposure qui vous permet de gérer votre surface d'attaque moderne de manière globale.

Profitez d'un essai gratuit de 30 jours de Tenable.io Vulnerability Management.