At the beginning of this week, Trend Micro developers immediately fixed two 0-day vulnerabilities in the company’s products that hackers already exploit. Hackers have not reached yet three more bug in the Trend Micro products.
The company has not disclosed details of the recorded attacks yet. It is only known that the problems used by the attackers were related to the corporate security products Apex One and OfficeScan XG.Trend Micro has released Critical Patches (CP) for Trend Micro Apex One and OfficeScan XG that resolve multiple vulnerabilities in the product – including some critical (CVSS 9.1 & 10) ones. Please note – Trend Micro has observed active attempts of potential attacks against at least one of these vulnerabilities in the wild (ITW). Customers are strongly encouraged to update to the latest versions as soon as possible”, — report Trend Micro developers.
The first zero-day vulnerability, CVE-2020-8467 (9.1 points on the CVSS scale), is related to the fact that the Trend Micro Apex One and OfficeScan tool components allow remote attackers to execute arbitrary code. However, an attack requires authentication of the user.
The second problem under attack is CVE-2020-8468 (8.0 points on the CVSS scale), also related to the work of Trend Micro Apex One and OfficeScan. This vulnerability helps bypassing content validation and as a result, an attacker receives access to manipulations with some components of the client agent. To implement such an attack, the user also needs to be authenticated.
Judging by these descriptions, both errors were used either to disable security products or to increase the privileges of attackers who entered the system in some other way.
However, in addition to these two problems, the company also announced the correction of three equally dangerous bugs (CVE-2020-8470, CVE-2020-8598 and CVE-2020-8599), which received 10 out of 10 possible points on the CVSSv3 vulnerability rating scale. That is, all of them can be used remotely via the Internet, do not require authentication and, as a result, provide the attacker with full control over the antivirus.
Currently Trend Micro has not discovered any attempted exploits of these vulnerabilities”, – said the developers.
This year champion in fuck-ups among anti-virus developers is the company Avast, they even leaked client data to the third parties. However, last year TrendMicro also received a number of image-blows; for example, hackers used vulnerability in their product to make the sensational hacking of Mitsubishi Electric servers.
Mitigating Factors
Customers are encouraged to review and ensure the product servers and management consoles are restricted to trusted networks and/or users as appropriate.
Even though an exploit may require several specific conditions to be met, due to the critical nature of these vulnerabilities, Trend Micro strongly encourages customers to update to the latest builds as soon as possible.