|
[Japanese]
|
JVNDB-2021-002077
|
Multiple vulnerabilities in multiple Trend Micro Endpoint security products for enterprises
|
|
Multiple Endpoint security products for enterprises provided by Trend Micro Incorporated contain multiple vulnerabilities listed below.
* Incorrect Permission Assignment (CWE-732) - CVE-2021-32464
* Improper Preservation of Permissions (CWE-281) - CVE-2021-32465
* Improper Input Validation (CWE-20) - CVE-2021-36741
* Improper Input Validation (CWE-20) - CVE-2021-36742
Trend Micro Incorporated states that attacks against CVE-2021-36741 and CVE-2021-36742 have been observed.
Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.
|
|
CVSS V3 Severity:
Base Metrics 7.8 (High) [Other]
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The above CVSS base scores have been assigned for CVE-2021-32464
|
CVSS V3 Severity:
Base Metrics:7.5 (High) [Other]
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The above CVSS base scores have been assigned for CVE-2021-32465
|
CVSS V3 Severity:
"Base Metrics:7.1 (High) [Other]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact:
The above CVSS base scores have been assigned for CVE-2021-36741
|
CVSS V3 Severity:
Base Metrics:7.8 (High) [Other]
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The above CVSS base scores have been assigned for CVE-2021-36742
|
|
|
Trend Micro, Inc.
- Apex One On Premise (2019) prior to Build 9601
- Apex One as a Service prior to Build 202107
- Worry-Free Business Security 10 SP1 prior to Build 2329
- Worry-Free Business Security Services prior to 6.7.1538 / 14.2.1295
|
For details on products affected by this vulnerability, please refer to the Vendor Information and References.
|
|
* An attacker who can log in to the OS where the product is running may obtain SYSTEM privileges and as a result, a specific script may be altered - CVE-2021-32464
* A remote attacker who can log in to the OS where the product is running may bypass login authentication - CVE-2021-32465
* A remote attacker who can log in to the product may upload arbitrary files - CVE-2021-36741
* An attacker who can log in to the OS where the product is running may obtain SYSTEM privileges - CVE-2021-36742
|
|
[Apply the Patch]
Apply the patch according to the information provided by the developer.
The developer has released the patches listed below that contain a fix for these vulnerabilities.
* Apex One On Premise (2019) Critical Patch B9601
* Worry-Free Business Security 10 SP1 Patch B2329
* Worry-Free Business Security Services 6.7.1538 / 14.2.1295 and later
The issues in Apex One as a Service are already fixed in the July 21th, 2021 updates.
[Apply the Workaround]
Applying the following workaround may mitigate the impact of these vulnerabilities.
* Permit access to the product to only trusted network
|
|
Trend Micro, Inc.
|
|
- Improper Input Validation(CWE-20) [Other]
- Improper Preservation of Permissions(CWE-281) [Other]
- Incorrect Permission Assignment for Critical Resource(CWE-732) [Other]
|
|
- CVE-2021-32464
- CVE-2021-32465
- CVE-2021-36741
- CVE-2021-36742
|
|
- JVN : JVNVU#93876919
- JPCERT : JPCERT-AT-2021-0033 (in Japanese)
|
|
- [2021/08/04]
Web page was published
|
