CVE-2022-40139: Vulnerability in Trend Micro Apex One Exploited in the Wild
Trend Micro has patched six vulnerabilities in its Apex One on-prem and software-as-a-service products, one of which has been exploited in the wild.
Background
On September 2, Trend Micro released an advisory for several vulnerabilities in its Apex One and Apex One software-as-a-service (SaaS) products which are used for agent-based threat detection and response.
| CVE | Description | CVSSv3 |
|---|---|---|
| CVE-2022-40139 | Improper validation vulnerability in rollback functionality component | 7.2 |
| CVE-2022-40140 | Source validation error vulnerability leading to denial of service | 5.5 |
| CVE-2022-40141 | Information disclosure vulnerability | 5.6 |
| CVE-2022-40142 | Agent link interpretation vulnerability leading to privilege escalation | 7.8 |
| CVE-2022-40143 | Link interpretation vulnerability leading to privilege escalation | 7.3 |
| CVE-2022-40144 | Login authentication bypass vulnerability | 8.2 |
There is a fairly robust history of Apex One zero days. A little over a year ago, Trend Micro disclosed reports of two other zero days: CVE-2021-36741, an arbitrary file upload vulnerability, and CVE-2021-36742, a local privilege escalation. The Cybersecurity and Infrastructure Security Agency lists six vulnerabilities in Apex One in its Catalog of Known Exploited Vulnerabilities (KEV).
| CVE | Description | CVSSv3 |
|---|---|---|
| CVE-2020-8467 | Remote code execution | 8.8 |
| CVE-2020-8468 | Content validation escape | 8.8 |
| CVE-2020-24557 | Privilege escalation | 7.8 |
| CVE-2020-8599 | Arbitrary file upload vulnerability | 9.8 |
| CVE-2021-36742 | Local privilege escalation (KEV lists as arbitrary file upload) | 7.8 |
| CVE-2021-36741 | Arbitrary file upload vulnerability | 8.8 |
Analysis
CVE-2022-40139 is an improper validation vulnerability in the “rollback” functionality which is used to revert Apex One agents to older versions. The vulnerability exists because Apex One agents are able download unverified components which could lead to code execution. While this vulnerability can only be exploited by an attacker with access to the Apex One administrative console, there have been reports of active exploitation.
It is also worth noting that other vulnerabilities patched in this release (and legacy vulnerabilities) could provide the administrative access required to exploit CVE-2022-40139. However, there is no indication that the other CVEs patched in this release have been exploited, yet.
Solution
The specific versions to resolve these vulnerabilities are listed below, though Trend Micro’s advisory notes that some of the vulnerabilities disclosed may have been patched in earlier releases for the SaaS product.
| Vulnerable Product | Updated version |
|---|---|
| Apex One 2019 for Windows On-Prem | Apex One SP1 (b11092/11088) |
| Apex One (SaaS) for Windows | August 2022 Monthly Patch(202208) |
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities can be found here.
Get more information
- Trend Micro Apex One September 2022 Security Bulletin
- Trend Micro Apex One July 2021 Security Bulletin
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.
Related Articles
Cybersecurity Snapshot: New Guides Offer Best Practices for Preventing Shadow AI and for Deploying Secure Software Updates
October 25, 2024Looking for help with shadow AI? Want to boost your software updates’ safety? New publications offer valuable tips. Plus, learn why GenAI and data security have become top drivers of cyber strategies. And get the latest on the top “no-nos” for software security; the EU’s new cyber law; and CISOs’ communications with boards.
Cybersecurity Snapshot: Tenable Report Warns About Toxic Cloud Exposures, as PwC Study Urges C-Suite Collaboration for Stronger Cyber Resilience
October 18, 2024Check out invaluable cloud security insights and recommendations from the “Tenable Cloud Risk Report 2024.” Plus, a PwC study says increased collaboration between CISOs and fellow CxOs boosts cyber resilience. Meanwhile, a report finds the top cyber skills gaps are in cloud security and AI. And get the latest on SBOMs; CIS Benchmarks; and cyber pros’ stress triggers.
Tenable Ranked #1 in the Device Vulnerability Management Market for the Sixth Consecutive Year in IDC's Market Shares Report
October 10, 2024The research firm’s latest report also provides advice for technology suppliers that they can use to improve their vulnerability management strategy.
Securing Financial Data in the Cloud: How Tenable Can Help
November 4, 2024Preventing data loss, complying with regulations, automating workflows and managing access are four key challenges facing financial institutions. Learn how Tenable can help.
Cybersecurity Snapshot: Apply Zero Trust to Critical Infrastructure’s OT/ICS, CSA Advises, as Five Eyes Spotlight Tech Startups’ Security
November 1, 2024Should critical infrastructure orgs boost OT/ICS systems’ security with zero trust? Absolutely, the CSA says. Meanwhile, the Five Eyes countries offer cyber advice to tech startups. Plus, a survey finds “shadow AI” weakening data governance. And get the latest on MFA methods, CISO trends and Uncle Sam’s AI strategy.
FY 2024 State and Local Cybersecurity Grant Program Adds CISA KEV as a Performance Measure
October 31, 2024The CISA Known Exploited Vulnerabilities (KEV) catalog and enhanced logging guidelines are among the new measurement tools added for the 2024 State and Local Cybersecurity Grant Program.
- Risk-based Vulnerability Management
- Vulnerability Management