JVNDB-2021-002077

Multiple vulnerabilities in multiple Trend Micro Endpoint security products for enterprises

Multiple Endpoint security products for enterprises provided by Trend Micro Incorporated contain multiple vulnerabilities listed below.

* Incorrect Permission Assignment (CWE-732) - CVE-2021-32464
* Improper Preservation of Permissions (CWE-281) - CVE-2021-32465
* Improper Input Validation (CWE-20) - CVE-2021-36741
* Improper Input Validation (CWE-20) - CVE-2021-36742

Trend Micro Incorporated states that attacks against CVE-2021-36741 and CVE-2021-36742 have been observed.

Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.

Trend Micro, Inc.

• Apex One On Premise (2019) prior to Build 9601
• Apex One as a Service prior to Build 202107
• Worry-Free Business Security 10 SP1 prior to Build 2329
• Worry-Free Business Security Services prior to 6.7.1538 / 14.2.1295

For details on products affected by this vulnerability, please refer to the Vendor Information and References.

* An attacker who can log in to the OS where the product is running may obtain SYSTEM privileges and as a result, a specific script may be altered - CVE-2021-32464
* A remote attacker who can log in to the OS where the product is running may bypass login authentication - CVE-2021-32465
* A remote attacker who can log in to the product may upload arbitrary files - CVE-2021-36741
* An attacker who can log in to the OS where the product is running may obtain SYSTEM privileges - CVE-2021-36742

[Apply the Patch]
Apply the patch according to the information provided by the developer.
The developer has released the patches listed below that contain a fix for these vulnerabilities.

* Apex One On Premise (2019) Critical Patch B9601
* Worry-Free Business Security 10 SP1 Patch B2329
* Worry-Free Business Security Services 6.7.1538 / 14.2.1295 and later

The issues in Apex One as a Service are already fixed in the July 21th, 2021 updates.

[Apply the Workaround]
Applying the following workaround may mitigate the impact of these vulnerabilities.

* Permit access to the product to only trusted network

Trend Micro, Inc.

• TrendMicro Solution : SECURITY BULLETIN: July 28, 2021, Security Bulletin for Trend Micro Apex One and Apex One as a Service
• TrendMicro Solution : SECURITY BULLETIN: July 28, 2021, Security Bulletin for Worry-Free Business Security
• TrendMicro Solution : SECURITY BULLETIN: Trend Micro Worry-Free Business Security Services Incorrect Permission Assignment Privilege Escalation Vulnerability
• TrendMicro Support : [Alert] Apply the latest Critical Patches; An attack exploiting the vulnerabilities (CVE-2021-36741, CVE-2021-36742) in Trend Micro products has been observed (in Japanese)

1. Improper Input Validation(CWE-20) [Other]
2. Improper Preservation of Permissions(CWE-281) [Other]
3. Incorrect Permission Assignment for Critical Resource(CWE-732) [Other]

1. CVE-2021-32464
2. CVE-2021-32465
3. CVE-2021-36741
4. CVE-2021-36742

1. JVN : JVNVU#93876919
2. National Vulnerability Database (NVD) : CVE-2021-32464
3. National Vulnerability Database (NVD) : CVE-2021-32465
4. National Vulnerability Database (NVD) : CVE-2021-36742
5. National Vulnerability Database (NVD) : CVE-2021-36741
6. JPCERT : JPCERT-AT-2021-0033 (in Japanese)
7. CISA Known Exploited Vulnerabilities Catalog : CVE-2021-36741, CVE-2021-36742

• [2021/08/04]
    Web page was published