Updated: June 14, 2023
CVE Identifier(s): CVE-2023-32521 through CVE-2023-32528, CVE-2023-35695
Platform(s): Windows
CVSS 3/3.1 Score(s): 5.3 through 9.1
Severity Rating(s): Medium - Critical
Trend Micro has released a new build for Trend Micro Mobile Security (Enterprise) that resolves several vulnerabilities.
Affected Version(s)
| Product | Affected Version(s) | Platform | Language(s) |
|---|---|---|---|
| Mobile Security (Enterprise) | 9.8 SP5 | Windows | English |
Solution
Trend Micro has released the following solutions to address the issue:
| Product | Updated version* | Notes | Platform | Availability |
|---|---|---|---|---|
| Mobile Security (Enterprise) | 9.8 SP5 Critical Patch B3294 | Readme | Windows | Now Available |
These are the minimum recommended version(s) of the patches and/or builds required to address the issue. Trend Micro highly encourages customers to obtain the latest version of the product if there is a newer one available than the one listed in this bulletin.
Customers are encouraged to visit Trend Micro’s Download Center to obtain prerequisite software (such as Service Packs) before applying any of the solutions above.
Please note: some of the vulnerabilities listed below may be resolved by an earlier build, but it is strongly recommended that customers apply the latest available version to ensure all known issues are resolved.
Vulnerability Details
CVE-2023-32521: Unauthenticated Path Traversal File Deletion VulnerabilityCVSSv3.1: 9.1: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
A path traversal exists in a specific service dll of Trend Micro Mobile Security (Enterprise) 9.8 SP5 which could allow an unauthenticated remote attacker to delete arbitrary files.
CVE-2023-32522: Authenticated Path Traversal File Deletion Vulnerability
CVSSv3.1: 8.1: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
A path traversal exists in a specific dll of Trend Micro Mobile Security (Enterprise) 9.8 SP5 which could allow an authenticated remote attacker to delete arbitrary files.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
CVE-2023-32523 and 32524: Authentication Bypass Vulnerabilities
ZDI-CAN-19721 and ZDI-CAN-19722
CVSSv3: 6.0: AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
Affected versions of Trend Micro Mobile Security (Enterprise) 9.8 SP5 contain some widgets that would allow a remote user to bypass authentication and potentially chain with other vulnerabilities.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit these vulnerabilities.
CVE-2023-32525 and 32526: Unrestricted File Upload Vulnerabilities
ZDI-CAN-20179 and ZDI-CAN-20182
CVSSv3: 6.5: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Trend Micro Mobile Security (Enterprise) 9.8 SP5 contains widget vulnerabilities that could allow a remote attacker to create arbitrary files on affected installations.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
CVE-2023-32527 and 32528: Local File Inclusion Remote Code Execution Vulnerabilities
ZDI-CAN-20180 and ZDI-CAN-20181
CVSSv3: 7.7: AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
Trend Micro Mobile Security (Enterprise) 9.8 SP5 contains vulnerable .php files that could allow a remote attacker to execute arbitrary code on affected installations.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
CVE-2023-35695: Information Disclosure Vulnerability
CVSSv3.1: 5.3: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
A remote attacker could leverage a vulnerability in Trend Micro Mobile Security (Enterprise) 9.8 SP5 to download a particular log file which may contain sensitive information regarding the product.
Mitigating Factors
Exploiting these type of vulnerabilities generally require that an attacker has access (physical or remote) to a vulnerable machine. In addition to timely application of patches and updated solutions, customers are also advised to review remote access to critical systems and ensure policies and perimeter security is up-to-date.
However, even though an exploit may require several specific conditions to be met, Trend Micro strongly encourages customers to update to the latest builds as soon as possible.
Acknowledgement
Trend Micro would like to thank the following individuals for responsibly disclosing these issues and working with Trend Micro to help protect our customers:
- CVE-2023-32521, 32522 and 35695: Tenable Research
- CVE-2023-32523 through 32528: Poh Jia Hao of STAR Labs SG Pte. Ltd. working with Trend Micro's Zero Day Initiative
External Reference(s)
- Tenable Security: TRA-2023-17 (CVE-2023-32521, 32522 and 35695)
The following advisories may be found at Trend Micro's Zero Day Initiative Published Advisories site:
- ZDI-CAN-19721
- ZDI-CAN-19722
- ZDI-CAN-20179
- ZDI-CAN-20182
- ZDI-CAN-20180
- ZDI-CAN-20181
