Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

CVE-2022-40139: Vulnerability in Trend Micro Apex One Exploited in the Wild

CVE-2022-40139: Vulnerability in Trend Micro Apex One Exploited in the Wild

Trend Micro has patched six vulnerabilities in its Apex One on-prem and software-as-a-service products, one of which has been exploited in the wild.

Background

On September 2, Trend Micro released an advisory for several vulnerabilities in its Apex One and Apex One software-as-a-service (SaaS) products which are used for agent-based threat detection and response.

CVE Description CVSSv3
CVE-2022-40139 Improper validation vulnerability in rollback functionality component 7.2
CVE-2022-40140 Source validation error vulnerability leading to denial of service 5.5
CVE-2022-40141 Information disclosure vulnerability 5.6
CVE-2022-40142 Agent link interpretation vulnerability leading to privilege escalation 7.8
CVE-2022-40143 Link interpretation vulnerability leading to privilege escalation 7.3
CVE-2022-40144 Login authentication bypass vulnerability 8.2

There is a fairly robust history of Apex One zero days. A little over a year ago, Trend Micro disclosed reports of two other zero days: CVE-2021-36741, an arbitrary file upload vulnerability, and CVE-2021-36742, a local privilege escalation. The Cybersecurity and Infrastructure Security Agency lists six vulnerabilities in Apex One in its Catalog of Known Exploited Vulnerabilities (KEV).

CVE Description CVSSv3
CVE-2020-8467 Remote code execution 8.8
CVE-2020-8468 Content validation escape 8.8
CVE-2020-24557 Privilege escalation 7.8
CVE-2020-8599 Arbitrary file upload vulnerability 9.8
CVE-2021-36742 Local privilege escalation (KEV lists as arbitrary file upload) 7.8
CVE-2021-36741 Arbitrary file upload vulnerability 8.8

Analysis

CVE-2022-40139 is an improper validation vulnerability in the “rollback” functionality which is used to revert Apex One agents to older versions. The vulnerability exists because Apex One agents are able download unverified components which could lead to code execution. While this vulnerability can only be exploited by an attacker with access to the Apex One administrative console, there have been reports of active exploitation.

It is also worth noting that other vulnerabilities patched in this release (and legacy vulnerabilities) could provide the administrative access required to exploit CVE-2022-40139. However, there is no indication that the other CVEs patched in this release have been exploited, yet.

Solution

The specific versions to resolve these vulnerabilities are listed below, though Trend Micro’s advisory notes that some of the vulnerabilities disclosed may have been patched in earlier releases for the SaaS product.

Vulnerable Product Updated version
Apex One 2019 for Windows On-Prem Apex One SP1 (b11092/11088)
Apex One (SaaS) for Windows August 2022 Monthly Patch(202208)

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities can be found here.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.