Trend Micro has found and fixed several critical vulnerabilities in its products, two of which it warned are being exploited in the wild.
The security giant released patches for Apex One and OfficeScan XG on Windows, urging customers to upgrade to the latest versions “as soon as possible."
CVE-2020-8467 is a critical zero-day a vulnerability in the migration tool component of Trend Micro Apex One and OfficeScan. It could allow remote attackers to execute arbitrary code on affected machines.
CVE-2020-8468 is rated CVSS 8.0 (high) and is described as a “content validation escape vulnerability which could allow an attacker to manipulate certain agent client components” in the OfficeScan and Apex One agents.
Both of these zero-day attacks require user authentication first.
The remaining three vulnerabilities are all rated critical. CVE-2020-8470 is a bug in the Apex One and OfficeScan server, or more specifically, a vulnerable service DLL file that could allow an attacker to delete any file on the server with system-level privileges.
CVE-2020-8598 also stems from a vulnerable service DLL file, but this time one which could allow a remote attacker to execute arbitrary code on affected installations with system-level privileges.
CVE-2020-8599 relates to a vulnerable exe file on the Apex One/OfficeScan server which could allow a remote attacker “to write arbitrary data to an arbitrary path on affected installations and bypass root login.”
All three can be exploited without authentication.
“Exploiting these type of vulnerabilities generally require that an attacker has access (physical or remote) to a vulnerable machine. Customers are encouraged to review and ensure the product servers and management consoles are restricted to trusted networks and/or users as appropriate,” the security update noted.
“In addition to timely application of patches and updated solutions, customers are also advised to review remote access to critical systems and ensure policies and perimeter security is up-to-date.”
Trend Micro Research discovered the vulnerabilities in question.
Such discoveries are not uncommon in an industry more focused than most on ensuring products are bug-free. A few years back, flaws were found in offerings from 11 separate security vendors.