The impact of this issue announcement is medium – high. Please act accordingly to rectify the issue, as stated below.
Trend Micro Apex One and Apex One as a Service (SaaS).
What you need to know:
Trend Micro has announced new patches for Trend Micro Apex One and Apex One as a Service (SaaS) which resolve multiple vulnerabilities related to hard link privilege escalation, out-of-bounds read information disclosure and improper access control.
Disclosed vulnerabilities CVE-2020-24556, CVE-2020-24557, CVE-2020-24558, and CVE-2020-24559, affects Windows and Mac OS client platforms both On Premise (2019) and SaaS versions of Apex One.
With this, Trend Micro has released minimum recommended versions of the patches and builds required to address the issue in their August Security Bulletin (https://success.trendmicro.com/solution/000263632)
Actions to be taken:
Trend Micro encourages its customers to obtain the latest version of the product and also check Trend Micro’s download center to obtain prerequisite service packs prior to applying the patches mentioned above.
What is the impact of not doing the actions?
The following are details on the vulnerabilities addressed in the latest patches:
CVE-2020-24556: Trend Micro Apex One Hard Link Privilege Escalation Vulnerability (Windows). A vulnerability in Trend Micro Apex One on Microsoft Windows may allow an attacker to create a hard link to any file on the system, which then could be manipulated to gain a privilege escalation and code execution.
CVE-2020-24557: Trend Micro Apex One Improper Access Control Privilege Escalation. A vulnerability in Trend Micro Apex One on Microsoft Windows may allow an attacker to manipulate a particular product folder to disable the security temporarily, abuse a specific Windows function and attain privilege escalation.
CVE-2020-24558: Trend Micro Apex One Out-of-Bounds Read Information Disclosure. A vulnerability in a Trend Micro Apex One dll may allow an attacker to manipulate it to cause an out-of-bounds read that crashes multiple processes in the product.
CVE-2020-24559: Trend Micro Apex One Hard Link Privilege Escalation Vulnerability (macOS). A vulnerability in Trend Micro Apex One on macOS may allow an attacker to manipulate a certain binary to load and run a script from a user-writable folder, which then would allow them to execute arbitrary code as root.