The impact of this issue announcement is high. Please act accordingly to rectify the issue, as stated below.
Apex One On–Premise (2019) and SaaS
What you need to know:
Multiple vulnerabilities have been disclosed regarding Trend Micro’s Apex One product which includes out-of-bounds read information disclosure, authentication bypass, and issues with a server migration tool component. Patches have been released to address these security holes.
Details about the vulnerabilities that were addressed by the patch are below:
CVE-2020-24563: Trend Micro Apex One Authentication Bypass Vulnerability
CVSSv3: 7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
A vulnerability in Trend Micro Apex One may allow an attacker to manipulate the process of the security agent unload option (if configured), which then could be manipulated to gain a privilege escalation and code execution.
CVE-2020-24564, CVE-2020-24565, CVE-2020-25770, CVE-2020-25771, CVE-2020-25772: Trend Micro Apex One Out-of-Bounds Read Information Disclosure Vulnerabilities
CVSSv3: 5.6: AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H/E:P/CR:L/IR:L/AR:L
Several out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow an attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product.
CVE-2020-25773: Trend Micro Apex One ServerMigrationTool DAT File Parsing Double Free Remote Code Execution Vulnerability
CVSSv3: 7.8: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
A vulnerability in the Trend Micro Apex One ServerMigrationTool component could allow an attacker to execute arbitrary code on affected products.
User interaction is required to exploit this vulnerability in that the target must import a corrupted configuration file.
CVE-2020-25774: Trend Micro Apex One ServerMigrationTool ZIP File Parsing Out-of-Bounds Read Information Disclosure Vulnerability
CVSSv3: 3.3: AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
A vulnerability in the Trend Micro Apex One ServerMigrationTool component could allow an attacker to trigger an out-of-bounds red information disclosure which would disclose sensitive information to an unprivileged account.
An attacker must first obtain the ability to bypass authentication on the target.
Actions to be taken:
Trend Micro urges administrators to install this patch.
What is the impact of not doing the actions?
Even though the vulnerabilities described above would require an attacker to have access (physical or remote) to a vulnerable machine, once this is exploited, an attacker would be able to disclose sensitive information to an unprivileged account on vulnerable installations of the product.