WARNING: ACTIVELY EXPLOITED CRITICAL ZERO-DAY VULNERABILITY AFFECTING TREND MICRO APEX ONE, APEX ONE SAAS AND VIRUS BUSTER BUSINESS SECURITY PRODUCTS. PATCH AND VERIFY YOUR SYSTEMS ASAP!
CVE-2023-41179
CVSS score: 9.1 (critical)
CVSSv3: 9.1: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Sources
https://success.trendmicro.com/jp/solution/000294706 (in Japanese)
Risks
Trend Micro published a security advisory for an actively exploited 0-day critical vulnerability affecting multiple products. The vulnerability has a high impact on all vertices of the CIA triad (Confidentiality, Integrity, Availability).
Trend Micro reported that this vulnerability was under active exploitation.
The Centre for Cyber security Belgium recommends system administrators to patch vulnerable systems as soon as possible and to analyze system and network logs for any suspicious activity. If your organization has already identified an intrusion or incident, please report it via: https://cert.be/en/report-incident.
Description
CVE-2023-41179 is an arbitrary code execution vulnerability related to the products’ ability to uninstall third-party security products.
Successful exploitation of this 0-day vulnerability could allow an attacker to execute arbitrary code. To exploit this vulnerability, an attacker would need to be able to log into the product's administrative console.
Because an attacker would need to have stolen the product's management console authentication information in advance, they would not be able to infiltrate the target network using this vulnerability alone.
Recommended Actions
The Centre for Cyber Security Belgium strongly recommends upgrading your software:
- For Apex One version 2019: install the patch Service Pack 1 – Patch 1 (Build 12380)
- For Apex One SaaS: the security agent version is fixed in the July 2023 maintenance reference 14.0.12637
- For Biz version 10.0 SP1: install Patch 2495
- For VBBSS versions 6.7.3578/14.3.1105: the issue was fixed in the July 31st 2023 update
Additionally, Trend Micro recommends restricting access to the management console, and only allowing trusted networks to connect to it.