CVE-2020-8467, CVE-2020-8468: Vulnerabilities in Trend Micro Apex One and OfficeScan Exploited in the Wild
Attempts to exploit multiple vulnerabilities in Trend Micro Apex One and OfficeScan observed in the wild.
Contexte
On March 16, Trend Micro published a security bulletin to address five vulnerabilities in its endpoint security solutions, Apex One and OfficeScan, including two vulnerabilities that were exploited in the wild. Trend Micro Research is credited with the discovery of these vulnerabilities.
Analyse
Multiple vulnerabilities exploited in the wild
CVE-2020-8467 is a vulnerability in Apex One and OfficeScan in a component of a migration tool. A remote, authenticated attacker could exploit this vulnerability and gain arbitrary code execution on affected Apex One and OfficeScan installations.
CVE-2020-8468 is a vulnerability in the Apex One and OfficeScan agents as a result of a content validation escape. An authenticated attacker could exploit the vulnerability to “manipulate certain agent client components.”
Trend Micro says they are aware of “at least one active attempt” to exploit these vulnerabilities in the wild. Details about these exploitation attempts are unknown.
Additional critical vulnerabilities patched
In addition to these two vulnerabilities, Trend Micro patched three other critical vulnerabilities that do not require authentication.
CVE-2020-8470 is a vulnerability in Apex One and OfficeScan server due to the presence of a vulnerable service DLL file. Exploitation would grant an attacker SYSTEM level privileges, allowing them to delete any file on the server.
CVE-2020-8598 is another vulnerability in Apex One and OfficeScan server due to the presence of a vulnerable service DLL file. A remote, unauthenticated attacker could exploit this vulnerability and gain arbitrary code execution with SYSTEM level privileges.
CVE-2020-8599 is a vulnerability in Apex One and OfficeScan server due to the presence of a vulnerable executable file. Exploitation of this vulnerability would grant an attacker the ability to bypass ROOT login and allow them to "write arbitrary data to an arbitrary path" on the system.
Trend Micro assigned the maximum CVSS score of 10 to these three vulnerabilities, though they note they are unaware of attempts to exploit them in the wild.
Attackers target OfficeScan
This isn’t the first time attackers have targeted Trend Micro products. In October 2019, Trend Micro published a security bulletin for CVE-2019-18187, a directory traversal vulnerability in OfficeScan. According to their bulletin, they had observed active attempts to exploit the flaw in the wild.
Customers running these products should be aware that attackers will continue to exploit these vulnerabilities and search for other, undiscovered vulnerabilities in these products.
Démonstration de faisabilité (PoC)
At the time this blog post was published, there was no proof-of-concept code available for any of the vulnerabilities patched.
Solution
Trend Micro released fixes for Apex One and OfficeScan. The following table contains a list of affected versions and the associated patched version.
| Produit | Affected Version | Patched Version | Plateforme |
|---|---|---|---|
| Apex One | 2019 | CP 2117 | Windows |
| OfficeScan | XG SP1 | XG SP1 CP 5474 | Windows |
| OfficeScan | XG (non-SP) | XG CP 1988 | Windows |
Customers running vulnerable versions of Apex One and OfficeScan should apply these patches as soon as possible.
Identification des systèmes affectés
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.
Où trouver plus d'informations
- March 16, 2020: Trend Micro Security Bulletin for Apex One and OfficeScan
- October 28, 2019: Trend Micro Security Bulletin for OfficeScan
Rejoignez l'équipe SRT de Tenable sur Tenable Community.
Apprenez-en plus sur Tenable, la première plateforme de Cyber Exposure qui vous permet de gérer votre surface d'attaque moderne de manière globale.
Profitez d'un essai gratuit de 30 jours de Tenable.io Vulnerability Management.
Articles connexes
CVE-2024-47575: Frequently Asked Questions About FortiJump Zero-Day in FortiManager and FortiManager Cloud
October 23, 2024Frequently asked questions about a zero-day vulnerability in Fortinet’s FortiManager that has reportedly been exploited in the wild.
From Bugs to Breaches: 25 Significant CVEs As MITRE CVE Turns 25
October 22, 2024Twenty five years after the launch of CVE, the Tenable Security Response Team has handpicked 25 vulnerabilities that stand out for their significance.
Oracle October 2024 Critical Patch Update Addresses 198 CVEs
October 15, 2024Oracle addresses 198 CVEs in its fourth quarterly update of 2024 with 334 patches, including 35 critical updates.
Cybersecurity Snapshot: Apply Zero Trust to Critical Infrastructure’s OT/ICS, CSA Advises, as Five Eyes Spotlight Tech Startups’ Security
November 1, 2024Should critical infrastructure orgs boost OT/ICS systems’ security with zero trust? Absolutely, the CSA says. Meanwhile, the Five Eyes countries offer cyber advice to tech startups. Plus, a survey finds “shadow AI” weakening data governance. And get the latest on MFA methods, CISO trends and Uncle Sam’s AI strategy.
FY 2024 State and Local Cybersecurity Grant Program Adds CISA KEV as a Performance Measure
October 31, 2024The CISA Known Exploited Vulnerabilities (KEV) catalog and enhanced logging guidelines are among the new measurement tools added for the 2024 State and Local Cybersecurity Grant Program.
Cybersecurity Snapshot: New Guides Offer Best Practices for Preventing Shadow AI and for Deploying Secure Software Updates
October 25, 2024Looking for help with shadow AI? Want to boost your software updates’ safety? New publications offer valuable tips. Plus, learn why GenAI and data security have become top drivers of cyber strategies. And get the latest on the top “no-nos” for software security; the EU’s new cyber law; and CISOs’ communications with boards.
- Vulnerability Management