CVE-2022-40139: Vulnerability in Trend Micro Apex One Exploited in the Wild
Trend Micro has patched six vulnerabilities in its Apex One on-prem and software-as-a-service products, one of which has been exploited in the wild.
Background
On September 2, Trend Micro released an advisory for several vulnerabilities in its Apex One and Apex One software-as-a-service (SaaS) products which are used for agent-based threat detection and response.
| CVE | Description | CVSSv3 |
|---|---|---|
| CVE-2022-40139 | Improper validation vulnerability in rollback functionality component | 7.2 |
| CVE-2022-40140 | Source validation error vulnerability leading to denial of service | 5.5 |
| CVE-2022-40141 | Information disclosure vulnerability | 5.6 |
| CVE-2022-40142 | Agent link interpretation vulnerability leading to privilege escalation | 7.8 |
| CVE-2022-40143 | Link interpretation vulnerability leading to privilege escalation | 7.3 |
| CVE-2022-40144 | Login authentication bypass vulnerability | 8.2 |
There is a fairly robust history of Apex One zero days. A little over a year ago, Trend Micro disclosed reports of two other zero days: CVE-2021-36741, an arbitrary file upload vulnerability, and CVE-2021-36742, a local privilege escalation. The Cybersecurity and Infrastructure Security Agency lists six vulnerabilities in Apex One in its Catalog of Known Exploited Vulnerabilities (KEV).
| CVE | Description | CVSSv3 |
|---|---|---|
| CVE-2020-8467 | Remote code execution | 8.8 |
| CVE-2020-8468 | Content validation escape | 8.8 |
| CVE-2020-24557 | Privilege escalation | 7.8 |
| CVE-2020-8599 | Arbitrary file upload vulnerability | 9.8 |
| CVE-2021-36742 | Local privilege escalation (KEV lists as arbitrary file upload) | 7.8 |
| CVE-2021-36741 | Arbitrary file upload vulnerability | 8.8 |
Analysis
CVE-2022-40139 is an improper validation vulnerability in the “rollback” functionality which is used to revert Apex One agents to older versions. The vulnerability exists because Apex One agents are able download unverified components which could lead to code execution. While this vulnerability can only be exploited by an attacker with access to the Apex One administrative console, there have been reports of active exploitation.
It is also worth noting that other vulnerabilities patched in this release (and legacy vulnerabilities) could provide the administrative access required to exploit CVE-2022-40139. However, there is no indication that the other CVEs patched in this release have been exploited, yet.
Solution
The specific versions to resolve these vulnerabilities are listed below, though Trend Micro’s advisory notes that some of the vulnerabilities disclosed may have been patched in earlier releases for the SaaS product.
| Vulnerable Product | Updated version |
|---|---|
| Apex One 2019 for Windows On-Prem | Apex One SP1 (b11092/11088) |
| Apex One (SaaS) for Windows | August 2022 Monthly Patch(202208) |
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities can be found here.
Get more information
- Trend Micro Apex One September 2022 Security Bulletin
- Trend Micro Apex One July 2021 Security Bulletin
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.
Related Articles
Cybersecurity Snapshot: CISA Pinpoints Vulnerabilities in Critical Infrastructure Orgs that Ransomware Groups Could Exploit
March 17, 2023Learn about CISA’s new program to help critical infrastructure organizations stamp out vulnerabilities associated with ransomware attacks. Plus, a U.S. government advisory with the latest on LockBit 3.0. Also, find out why the U.K.’s cyber agency is warning users about ChatGPT. And much more!
Tenable.sc 6.0: A Major Update that Boosts Visibility and Productivity
January 25, 2023Tenable.sc powers the risk-based vulnerability management programs (RBVM) of all types of organizations, anchoring the world’s most demanding cybersecurity environments. With the introduction of Tenable.sc 6.0, customers can now take advantage of significant new capabilities and enhancements, like a global CVE search to help them focus their RBVM efforts on what’s most important.
Oracle January 2023 Critical Patch Update Addresses 183 CVEs
January 19, 2023Oracle addresses 183 CVEs in its first quarterly update of quarterly with 327 patches, including 71 critical updates.
Exposure Management: 7 Benefits of a Platform Approach
March 28, 2023When it comes to preventive cybersecurity, there have been longstanding debates over whether it's more effective to operate an array of best-of-breed point solutions or to take a more consolidated platform approach. Here are seven reasons an exposure management platform can help reduce cyber risk.
EPA Issues Cybersecurity Regulations for Public Water Systems: How Tenable Can Help
March 27, 2023EPA released new regulations that require states to assess cybersecurity risks at drinking water systems and ensure these systems have sufficient cyber protections. Here’s what you need to know — and how Tenable can help.
Tenable Cyber Watch: U.K. Cyber Agency Raises Privacy Concerns About ChatGPT, CISA Program Tackles Ransomware in Critical Infrastructure, and more
March 27, 2023This week’s edition of the Tenable Cyber Watch unpacks CISA’s new pilot program that detects vulnerabilities in critical infrastructure and addresses the FBI’s plea for more ransomware victims to report attacks. Also covered: Why the U.K. National Cyber Security Centre is warning ChatGPT users to tread carefully when submitting queries with sensitive information.
- Risk-based Vulnerability Management
- Vulnerability Management
