The impact of this issue announcement is high. Please act accordingly to rectify the issue, as stated below.
|Deep Security Manager*||Version 12.0||Windows||English|
|Vulnerability Protection||Version 2.0 SP2||Windows||English|
*Please note, Trend Micro Cloud One Workload Security (formerly known as Deep Security as a Service) is not vulnerable to these security issues.
What you need to know:
Critical patches have been released by Trend Micro to address vulnerabilities discovered on their products, specifically Deep Security Manager and Vulnerability Protection. These include:
CVE-2020-8602: Deep Security Manager and Vulnerability Protection Integrity Verification Bypass
CVSSv3.1: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
“A vulnerability in the affected products’ management console may allow an authenticated attacker with full control privileges to bypass file integrity checks, leading to remote code execution.”
CVE-2020-15601: Deep Security Manager and Vulnerability Protection LDAP Authentication Bypass
CVSSv3.1: 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
“If LDAP authentication is enabled, an unauthenticated attacker with prior knowledge of the targeted organisation may be able to bypass manager authentication.
Enabling multi-factor authentication prevents this attack.
Installations using manager native authentication or SAML authentication are not impacted by this vulnerability.”
Actions to be taken:
Administrators need to install the latest version of Deep Security and Vulnerability Protection to address the vulnerabilities described above.
The table below shows the latest version and link to Trend Micro’s download site:
|Deep Security Manager||Version 12.0 U11||Readme||Windows|
|Version 11.0 U22||Readme||Windows|
|Version 10.0 U27||Readme||Windows|
|Vulnerability Protection||Version 2.0 SP2 Patch7 CP5||Readme||Windows|
What is the impact of not doing the actions?
If exploited, attackers could gain full access and control to Deep Security and Vulnerability Protection’s management console and could lead to remote code execution.