Trend Micro Fixes Endpoint Protection Zero-day Used in Attacks

Cyber Security Threat Summary:
Trend Micro fixed a remote code execution zero-day vulnerability in the Trend Micro's Apex One endpoint protection solution that was actively exploited in attacks. Apex One is an endpoint security solution catering to businesses of all sizes, and the 'Worry-Free Business Security' suite is designed for small to medium-sized companies” (Bleeping Computer, 2023).

Tracked as CVE-2023-41179, the arbitrary code execution flaw received a CVSS score of 9.1, deeming it critical. The flaw is due to a third-party installer module that comes supplied with the security software.

In their security advisory, Trend Micro says it has observed at least one active attempt to exploit this vulnerability in the wild. The company is advising customers to update to the latest versions as soon as possible.

Suggested Correction(s):
The flaw impacts the following products:

  • Trend Micro Apex One 2019
  • Trend Micro Apex One SaaS 2019
  • Worry-Free Business Security (WFBS) 10.0 SP1 (sold as Virus Buster Business Security (Biz) in Japan)
  • Worry-Free Business Security Services (WFBSS) 10.0 SP1 (sold as Virus Buster Business Security Services (VBBSS) in Japan)
Fixes were made available in the following releases:
  • Apex One 2019 Service Pack 1 – Patch 1 (Build 12380)
  • Apex One SaaS 14.0.12637
  • WFBS Patch 2495
  • WFBSS July 31 update
Suggested Correction(s):
A mitigating factor is that to exploit CVE-2023-41179, the attacker must have previously stolen the product's management console credentials and used them to log in. "Exploiting these type of vulnerabilities generally require that an attacker has access (physical or remote) to a vulnerable machine," explains Trend Micro.

Japan CERT has also issued an advisory surrounding the vulnerability, noting active exploitation of the flaw. "If the vulnerability is exploited, an attacker who can log in to the product's administration console may execute arbitrary code with the system privilege on the PC where the security agent is installed," explains JPCERT.

An effective workaround is limiting access to the product's administration console to trusted networks, locking out rogue actors who attempt to access the endpoint from external, arbitrary locations. However, ultimately, admins need to install the security updates to prevent threat actors who already breached a network from utilizing the flaw to spread laterally to other devices.