CVE-2023-41179

Warning

EPSS 1.27%
Published 19.09.2023 14:15:21
Last modified 29.11.2024 14:33:04
Source security@trendmicro.com
Teams watchlist Login
Open Login

A vulnerability in the 3rd party AV uninstaller module contained in Trend Micro Apex One (on-prem and SaaS), Worry-Free Business Security and Worry-Free Business Security Services could allow an attacker to manipulate the module to execute arbitrary commands on an affected installation.

Note that an attacker must first obtain administrative console access on the target system in order to exploit this vulnerability.

Affected products Warnungen 1 Metrics 3 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Trendmicro ≫ Apex One Version2019

Microsoft ≫ Windows Version-

Trendmicro ≫ Apex One Version2019 SwEditionsaas

Microsoft ≫ Windows Version-

Trendmicro ≫ Worry-free Business Security Version10.0 Updatesp1

Microsoft ≫ Windows Version-

Trendmicro ≫ Worry-free Business Security Services Version- SwEditionsaas

Microsoft ≫ Windows Version-

21.09.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog

Trend Micro Apex One and Worry-Free Business Security Remote Code Execution Vulnerability

Vulnerability

Trend Micro Apex One and Worry-Free Business Security contain an unspecified vulnerability in the third-party anti-virus uninstaller that could allow an attacker to manipulate the module to conduct remote code execution. An attacker must first obtain administrative console access on the target system in order to exploit this vulnerability.

Description

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Required actions

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	1.27%	0.788

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://jvn.jp/en/vu/JVNVU90967486/

Third Party Advisory

https://success.trendmicro.com/jp/solution/000294706

Broken Link

https://success.trendmicro.com/solution/000294994

Broken Link

https://nvd.nist.gov/vuln/detail/CVE-2023-41179

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-41179

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-41179

EUVD