JVNDB-2024-014079

Trend Micro Deep Security Agent for Windows and Deep Security Notifier on DSVA vulnerable to OS command injection

Trend Micro Incorporated has released the security updates for Deep Security Agent (for Windows) and Deep Security Notifier on DSVA (for Windows VM) to fix an OS command injection vulnerability (CWE-78, CVE-2024-48903).

Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solution through JVN.

Trend Micro, Inc.

• Deep Security Agent (for Windows) versions prior to 20.0.1-21510
• Deep Security Notifier on DSVA (for Windows VM) version 20.0.0-8438 only

A non-administrative user of the Windows system where the affected product is installed may execute arbitrary code with SYSTEM privilege.
Under certain conditions, and if the attacking user being granted the relevant domain access, command injection attack may be executed to other Windows systems in the same domain.

[Update the software]
Update Deep Security Agent to the latest version.
The vulnerability has been addressed at the following version.

* Deep Security Agent 20.0.1-21510 (20 LTS Update 2024-10-16)

To update Deep Security Notifier on DSVA (for Windows VM), install Deep Security Agent 20.0.1 full package

For more details, refer to the information provided by the developer.

Trend Micro, Inc.

• Trend Micro Incorporated : SECURITY BULLETIN: Trend Micro Deep Security 20 Agent Manual Scan Command Injection RCE Vulnerability (CVE-2024-51503)
• Trend Micro Incorporated : Deep Security Software
• Trend Micro Incorporated : Deep Security Manager (DSM) / Deep Security Agent (DSA) support readiness for 20.0.1 Linux Kernel Support Package (KSP)

1. OS Command Injection(CWE-78) [Other]

1. CVE-2024-51503

1. JVN : JVNVU#93693807

• [2024/12/06]
    Web page was published