CVE-2020-8467, CVE-2020-8468: Vulnerabilities in Trend Micro Apex One and OfficeScan Exploited in the Wild
Attempts to exploit multiple vulnerabilities in Trend Micro Apex One and OfficeScan observed in the wild.
Antecedentes
On March 16, Trend Micro published a security bulletin to address five vulnerabilities in its endpoint security solutions, Apex One and OfficeScan, including two vulnerabilities that were exploited in the wild. Trend Micro Research is credited with the discovery of these vulnerabilities.
Análisis
Multiple vulnerabilities exploited in the wild
CVE-2020-8467 is a vulnerability in Apex One and OfficeScan in a component of a migration tool. A remote, authenticated attacker could exploit this vulnerability and gain arbitrary code execution on affected Apex One and OfficeScan installations.
CVE-2020-8468 is a vulnerability in the Apex One and OfficeScan agents as a result of a content validation escape. An authenticated attacker could exploit the vulnerability to “manipulate certain agent client components.”
Trend Micro says they are aware of “at least one active attempt” to exploit these vulnerabilities in the wild. Details about these exploitation attempts are unknown.
Additional critical vulnerabilities patched
In addition to these two vulnerabilities, Trend Micro patched three other critical vulnerabilities that do not require authentication.
CVE-2020-8470 is a vulnerability in Apex One and OfficeScan server due to the presence of a vulnerable service DLL file. Exploitation would grant an attacker SYSTEM level privileges, allowing them to delete any file on the server.
CVE-2020-8598 is another vulnerability in Apex One and OfficeScan server due to the presence of a vulnerable service DLL file. A remote, unauthenticated attacker could exploit this vulnerability and gain arbitrary code execution with SYSTEM level privileges.
CVE-2020-8599 is a vulnerability in Apex One and OfficeScan server due to the presence of a vulnerable executable file. Exploitation of this vulnerability would grant an attacker the ability to bypass ROOT login and allow them to "write arbitrary data to an arbitrary path" on the system.
Trend Micro assigned the maximum CVSS score of 10 to these three vulnerabilities, though they note they are unaware of attempts to exploit them in the wild.
Attackers target OfficeScan
This isn’t the first time attackers have targeted Trend Micro products. In October 2019, Trend Micro published a security bulletin for CVE-2019-18187, a directory traversal vulnerability in OfficeScan. According to their bulletin, they had observed active attempts to exploit the flaw in the wild.
Customers running these products should be aware that attackers will continue to exploit these vulnerabilities and search for other, undiscovered vulnerabilities in these products.
Prueba de concepto
At the time this blog post was published, there was no proof-of-concept code available for any of the vulnerabilities patched.
Solución
Trend Micro released fixes for Apex One and OfficeScan. The following table contains a list of affected versions and the associated patched version.
| Producto | Affected Version | Patched Version | Plataforma |
|---|---|---|---|
| Apex One | 2019 | CP 2117 | Windows |
| OfficeScan | XG SP1 | XG SP1 CP 5474 | Windows |
| OfficeScan | XG (non-SP) | XG CP 1988 | Windows |
Customers running vulnerable versions of Apex One and OfficeScan should apply these patches as soon as possible.
Identificación de los sistemas afectados
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.
Obtenga más información
- March 16, 2020: Trend Micro Security Bulletin for Apex One and OfficeScan
- October 28, 2019: Trend Micro Security Bulletin for OfficeScan
Únase al Equipo de respuesta de seguridad de Tenable en Tenable Community.
Obtenga más información sobre Tenable, la primera plataforma de Cyber Exposure para el control integral de la superficie de ataque moderna.
Obtenga una prueba gratuita por 30 días de Tenable.io Vulnerability Management.
Artículos relacionados
Strengthening the Nessus Software Supply Chain with SLSA
April 16, 2024You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.
Cybersecurity Snapshot: CISA Says Midnight Blizzard Swiped U.S. Gov’t Emails During Microsoft Hack, Tells Fed Agencies To Take Immediate Action
April 12, 2024Check out CISA’s urgent call for federal agencies to protect themselves from Midnight Blizzard’s breach of Microsoft corporate emails. Plus, a new survey shows cybersecurity pros are guardedly optimistic about AI. Meanwhile, SANS pinpoints the four trends CISOs absolutely must focus on this year. And the NSA is sharing best practices for data security. And much more!
Cybersecurity Snapshot: U.S. Gov’t Unpacks AI Threat to Banks, as NCSC Urges OT Teams to Protect Cloud SCADA Systems
March 29, 2024Check out new guidance for banks on combating AI-boosted fraud. Plus, how to cut cyber risk when migrating SCADA systems to the cloud. Meanwhile, why CISA is fed up with SQLi flaws. And best practices to prevent and respond to DDoS attacks. And much more!
Strengthening the Nessus Software Supply Chain with SLSA
April 16, 2024You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.
Navigating Security Challenges Around OT in the DoD’s Manufacturing Lines
April 15, 2024How operational technology can revolutionize logistics, supply chain management, and overall efficiency.
CVE-2024-3400: Zero-Day Vulnerability in Palo Alto Networks PAN-OS GlobalProtect Gateway Exploited in the Wild
April 12, 2024A critical severity command injection vulnerability in Palo Alto Networks PAN-OS has been exploited in limited targeted attacks. While a fix is not yet available, patches are expected to be released on April 14 and mitigation steps are available.
- Vulnerability Management