Trend Micro fixed a remote code execution zero-day vulnerability in the Trend Micro’s Apex One endpoint protection solution that was actively exploited in attacks.
Apex One is an endpoint security solution catering to businesses of all sizes, and the ‘Worry-Free Business Security’ suite is designed for small to medium-sized companies.
The arbitrary code execution flaw is tracked as CVE-2023-41179 and has received a severity rating of 9.1 according to CVSS v3, categorizing it as “critical.”
The flaw exists in a third-party uninstaller module supplied with the security software.
“Trend Micro has observed at least one active attempt of potential attacks against this vulnerability in the wild,” reads the security bulletin.
“Customers are strongly encouraged to update to the latest versions as soon as possible.”
The flaw impacts the following products:
- Trend Micro Apex One 2019
- Trend Micro Apex One SaaS 2019
- Worry-Free Business Security (WFBS) 10.0 SP1 (sold as Virus Buster Business Security (Biz) in Japan)
- Worry-Free Business Security Services (WFBSS) 10.0 SP1 (sold as Virus Buster Business Security Services (VBBSS) in Japan)
Fixes were made available in the following releases:
- Apex One 2019 Service Pack 1 – Patch 1 (Build 12380)
- Apex One SaaS 14.0.12637
- WFBS Patch 2495
- WFBSS July 31 update
A mitigating factor is that to exploit CVE-2023-41179, the attacker must have previously stolen the product’s management console credentials and used them to log in.
“Exploiting these type of vulnerabilities generally require that an attacker has access (physical or remote) to a vulnerable machine,” explains Trend Micro.
The Japanese CERT has also issued an alert about the active exploitation of the flaw, urging users of the impacted software to upgrade to a secure release as soon as possible.
“If the vulnerability is exploited, an attacker who can log in to the product’s administration console may execute arbitrary code with the system privilege on the PC where the security agent is installed,” explains JPCERT.
An effective workaround is limiting access to the product’s administration console to trusted networks, locking out rogue actors who attempt to access the endpoint from external, arbitrary locations.
However, ultimately, admins need to install the security updates to prevent threat actors who already breached a network from utilizing the flaw to spread laterally to other devices.