CVE-2020-8467, CVE-2020-8468: Vulnerabilities in Trend Micro Apex One and OfficeScan Exploited in the Wild

Attempts to exploit multiple vulnerabilities in Trend Micro Apex One and OfficeScan observed in the wild.

Background

On March 16, Trend Micro published a security bulletin to address five vulnerabilities in its endpoint security solutions, Apex One and OfficeScan, including two vulnerabilities that were exploited in the wild. Trend Micro Research is credited with the discovery of these vulnerabilities.

Analysis

Multiple vulnerabilities exploited in the wild

CVE-2020-8467 is a vulnerability in Apex One and OfficeScan in a component of a migration tool. A remote, authenticated attacker could exploit this vulnerability and gain arbitrary code execution on affected Apex One and OfficeScan installations.

CVE-2020-8468 is a vulnerability in the Apex One and OfficeScan agents as a result of a content validation escape. An authenticated attacker could exploit the vulnerability to “manipulate certain agent client components.”

Trend Micro says they are aware of “at least one active attempt” to exploit these vulnerabilities in the wild. Details about these exploitation attempts are unknown.

Additional critical vulnerabilities patched

In addition to these two vulnerabilities, Trend Micro patched three other critical vulnerabilities that do not require authentication.

CVE-2020-8470 is a vulnerability in Apex One and OfficeScan server due to the presence of a vulnerable service DLL file. Exploitation would grant an attacker SYSTEM level privileges, allowing them to delete any file on the server.

CVE-2020-8598 is another vulnerability in Apex One and OfficeScan server due to the presence of a vulnerable service DLL file. A remote, unauthenticated attacker could exploit this vulnerability and gain arbitrary code execution with SYSTEM level privileges.

CVE-2020-8599 is a vulnerability in Apex One and OfficeScan server due to the presence of a vulnerable executable file. Exploitation of this vulnerability would grant an attacker the ability to bypass ROOT login and allow them to "write arbitrary data to an arbitrary path" on the system.

Trend Micro assigned the maximum CVSS score of 10 to these three vulnerabilities, though they note they are unaware of attempts to exploit them in the wild.

Attackers target OfficeScan

This isn’t the first time attackers have targeted Trend Micro products. In October 2019, Trend Micro published a security bulletin for CVE-2019-18187, a directory traversal vulnerability in OfficeScan. According to their bulletin, they had observed active attempts to exploit the flaw in the wild.

Customers running these products should be aware that attackers will continue to exploit these vulnerabilities and search for other, undiscovered vulnerabilities in these products.

Proof of concept

At the time this blog post was published, there was no proof-of-concept code available for any of the vulnerabilities patched.

Solution

Trend Micro released fixes for Apex One and OfficeScan. The following table contains a list of affected versions and the associated patched version.

Customers running vulnerable versions of Apex One and OfficeScan should apply these patches as soon as possible.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

• March 16, 2020: Trend Micro Security Bulletin for Apex One and OfficeScan
• October 28, 2019: Trend Micro Security Bulletin for OfficeScan

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.