Trend Micro Apex One Security Agent is endpoint protection software that is installed as part of the Trend Micro Apex One suite. It monitors the endpoint for threats such as malicious files and blocks or deletes them as appropriate. It is deployed on all systems enrolled in Trend Micro Apex One.
cirosec discovered a vulnerability in the Damage Cleanup Engine of the Security Agent that enables an unprivileged local attacker to escalate privileges. The vulnerability was disclosed to Trend Micro on October 27, 2023.
During scanning of the file system for malicious files, insecure file operations are performed in user-controlled directories, allowing a local attacker to delete almost arbitrary files on the system. By using publicly documented methods, an unprivileged local attacker can abuse this arbitrary file delete primitive to obtain SYSTEM privileges. Because no patch is available at the time of publication, cirosec is not releasing more technical details on the vulnerability until further notice.
CVSS Score
7.8 (CVSS v3)
CVSS Vector String
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Version
The vulnerability has at least been present since Security Agent version 14.0.12737.
Fixed Version
Apex One Agent v14.0.14203
References
ZDI-Advisory: https://www.zerodayinitiative.com/advisories/ZDI-25-001/
Trend Micro: https://success.trendmicro.com/en-US/solution/KA-0018217
Credits
Frederik Reiter & Jan-Luca Gruber
Initial disclosure of the vulnerability to Trend Micro.
Trend Micro acknowledges the report.
Follow-up by cirosec (no response).
Follow-up by cirosec.
Trend Micro confirms it is still checking the report.
Follow-up by cirosec (no response).
Trend Micro reports that this is not a vulnerability in the product.
Disclosure to ZeroDayInitiative (ZDI-CAN-23995).
ZeroDayInitiative confirms the vulnerability.
ZeroDayInitiative reported vulnerability to vendor.
Public Release of advisory.