According to a security bulletin by Trend Micro, multiple critical vulnerabilities were recently discovered with the company’s Apex One and OfficeScan XG products. Two of the vulnerabilities (CVE-2020-8467 and CVE-2020-8468) were considered to be zero-days due to observed exploit attempts prior to patch availability. Three other vulnerabilities (CVE-2020-8470, CVE-2020-8598, and CVE-2020-8599) were detailed in the report as well–all with a Common Vulnerability Scoring System (CVSS) rating of 10 out of 10, the most severe score. There was no indication given that these three vulnerabilities had been exploited in the wild yet.
CVE-2020-8470 details a vulnerable service that can be abused to delete any file on the host with SYSTEM-level privileges. No authentication is required to exploit the service. CVE-2020-8598 also describes a vulnerable service DLL; this service can be abused remotely without authentication to execute code with SYSTEM-level privileges. The last vulnerability described in the bulletin, CVE-2020-8599, allows unauthenticated attackers to write data to any path on the system.
Analyst Notes
According to Trend Micro’s security bulletin, customers using Apex One as a Service received the patch during a February 2020 maintenance release. Customers using on-premise installations or OfficeScan XG can follow the instructions provided on the bulletin to update each product. Trend Micro’s advice for reviewing physical and remote access to these services also applies to any other services in use. Access should only be given to those who need it with permissions to match their role. If customers do not require remote access, it should be similarly limited, only granting network access to employees who use the service.
Source: https://success.trendmicro.com/solution/000245571
https://www.zdnet.com/article/two-trend-micro-zero-days-exploited-in-the-wild-by-hackers/
