CVE-2022-40139: Vulnerability in Trend Micro Apex One Exploited in the Wild
Trend Micro has patched six vulnerabilities in its Apex One on-prem and software-as-a-service products, one of which has been exploited in the wild.
Background
On September 2, Trend Micro released an advisory for several vulnerabilities in its Apex One and Apex One software-as-a-service (SaaS) products which are used for agent-based threat detection and response.
| CVE | Description | CVSSv3 |
|---|---|---|
| CVE-2022-40139 | Improper validation vulnerability in rollback functionality component | 7.2 |
| CVE-2022-40140 | Source validation error vulnerability leading to denial of service | 5.5 |
| CVE-2022-40141 | Information disclosure vulnerability | 5.6 |
| CVE-2022-40142 | Agent link interpretation vulnerability leading to privilege escalation | 7.8 |
| CVE-2022-40143 | Link interpretation vulnerability leading to privilege escalation | 7.3 |
| CVE-2022-40144 | Login authentication bypass vulnerability | 8.2 |
There is a fairly robust history of Apex One zero days. A little over a year ago, Trend Micro disclosed reports of two other zero days: CVE-2021-36741, an arbitrary file upload vulnerability, and CVE-2021-36742, a local privilege escalation. The Cybersecurity and Infrastructure Security Agency lists six vulnerabilities in Apex One in its Catalog of Known Exploited Vulnerabilities (KEV).
| CVE | Description | CVSSv3 |
|---|---|---|
| CVE-2020-8467 | Remote code execution | 8.8 |
| CVE-2020-8468 | Content validation escape | 8.8 |
| CVE-2020-24557 | Privilege escalation | 7.8 |
| CVE-2020-8599 | Arbitrary file upload vulnerability | 9.8 |
| CVE-2021-36742 | Local privilege escalation (KEV lists as arbitrary file upload) | 7.8 |
| CVE-2021-36741 | Arbitrary file upload vulnerability | 8.8 |
Analysis
CVE-2022-40139 is an improper validation vulnerability in the “rollback” functionality which is used to revert Apex One agents to older versions. The vulnerability exists because Apex One agents are able download unverified components which could lead to code execution. While this vulnerability can only be exploited by an attacker with access to the Apex One administrative console, there have been reports of active exploitation.
It is also worth noting that other vulnerabilities patched in this release (and legacy vulnerabilities) could provide the administrative access required to exploit CVE-2022-40139. However, there is no indication that the other CVEs patched in this release have been exploited, yet.
Solution
The specific versions to resolve these vulnerabilities are listed below, though Trend Micro’s advisory notes that some of the vulnerabilities disclosed may have been patched in earlier releases for the SaaS product.
| Vulnerable Product | Updated version |
|---|---|
| Apex One 2019 for Windows On-Prem | Apex One SP1 (b11092/11088) |
| Apex One (SaaS) for Windows | August 2022 Monthly Patch(202208) |
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities can be found here.
Get more information
- Trend Micro Apex One September 2022 Security Bulletin
- Trend Micro Apex One July 2021 Security Bulletin
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.
Related Articles
Cybersecurity Snapshot: Russia-backed Hackers Aim at Critical Infrastructure Orgs, as Crypto Fraud Balloons
September 13, 2024Critical infrastructure operators must beware of Russian military hacking groups. Plus, cyber scammers are having a field day with crypto fraud. Meanwhile, AI and cloud vendors face stricter reporting regulations in the U.S. And get the latest on AI-model risk management and on cybersecurity understaffing!
Cybersecurity Snapshot: RansomHub Group Triggers CISA Warning, While FBI Says North Korean Hackers Are Targeting Crypto Orgs
September 6, 2024Cybersecurity teams must beware of RansomHub, a surging RaaS gang. Plus, North Korea has unleashed sophisticated social-engineering schemes against crypto employees. Meanwhile, a new SANS report stresses the importance of protecting ICS and OT systems. And a Tenable poll sheds light on cloud-native VM. And much more!
Cybersecurity Snapshot: Schools Suffer Heavy Downtime Losses Due To Ransomware, as Banks Grapple with AI Challenges
August 30, 2024The cost of ransomware downtime in schools gets pegged at $500K-plus per day. Meanwhile, check out the AI-usage risks threatening banks’ cyber resilience. Plus, Uncle Sam is warning about a dangerous Iran-backed hacking group. And get the latest on AI-system inventories, the APT29 nation-state attacker and digital identity security!
CloudImposer: Executing Code on Millions of Google Servers with a Single Malicious Package
September 16, 2024Tenable Research discovered a remote code execution (RCE) vulnerability in Google Cloud Platform (GCP) that is now fixed and that we dubbed CloudImposer. The vulnerability could have allowed an attacker to hijack an internal software dependency that Google pre-installs on each Google Cloud Composer pipeline-orchestration tool. Tenable Research also found risky guidance in GCP documentation that customers should be aware of.
Cybersecurity Snapshot: Russia-backed Hackers Aim at Critical Infrastructure Orgs, as Crypto Fraud Balloons
September 13, 2024Critical infrastructure operators must beware of Russian military hacking groups. Plus, cyber scammers are having a field day with crypto fraud. Meanwhile, AI and cloud vendors face stricter reporting regulations in the U.S. And get the latest on AI-model risk management and on cybersecurity understaffing!
Microsoft’s September 2024 Patch Tuesday Addresses 79 CVEs (CVE-2024-43491)
September 10, 2024Microsoft addresses 79 CVEs with seven critical vulnerabilities and four zero-day vulnerabilities, including three that were exploited in the wild.
- Risk-based Vulnerability Management
- Vulnerability Management