https://success.trendmicro.com/dcx/s/solution/000298063?language=en_US <br/></td> CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"/>https://success.trendmicro.com/dcx/s/solution/000298063?language=en_US <br/></td> CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"/>

Exploit
CVE-2024-36305

Improper Link Resolution Before File Access ('Link Following') (CWE-59)

Published: Jun 10, 2024 / Updated: 5mo ago

010
CVSS 7.8EPSS 0.05%High
CVE info copied to clipboard

Summary

This vulnerability allows local attackers to escalate privileges on affected installations of Trend Micro Apex One Security Agent. The specific flaw exists within the Apex One NT RealTime Scan service. By creating a junction, an attacker can abuse the service to create arbitrary files. This vulnerability requires the attacker to first obtain the ability to execute low-privileged code on the target system.

Impact

An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. This could lead to complete compromise of the affected system, allowing the attacker to gain full control over the machine, potentially leading to data theft, further lateral movement within the network, or use of the compromised system as a launching point for additional attacks.

Exploitation

One proof-of-concept exploit is available on zerodayinitiative.com. There is no evidence of proof of exploitation at the moment.

Patch

Trend Micro has issued an update to correct this vulnerability. More details can be found at: https://success.trendmicro.com/dcx/s/solution/000298063?language=en_US

Mitigation

1. Apply the security update provided by Trend Micro as soon as possible. 2. Implement the principle of least privilege to minimize the number of users with low-level access that could be exploited. 3. Monitor for suspicious activities, especially those related to the Apex One NT RealTime Scan service. 4. Implement robust access controls and network segmentation to limit the potential impact of a successful exploit. 5. Keep all systems and software up-to-date with the latest security patches.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-36305. See article

Jun 6, 2024 at 3:18 PM / ZDI Published Advisories
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Jun 6, 2024 at 3:18 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (379929)

Jun 10, 2024 at 7:53 AM
CVE Assignment

NVD published the first details for CVE-2024-36305

Jun 10, 2024 at 10:15 PM
CVSS

A CVSS base score of 7.8 has been assigned.

Jun 10, 2024 at 10:20 PM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.1%)

Jun 11, 2024 at 1:55 PM
Static CVE Timeline Graph

Affected Systems

Trendmicro/apex_one
+null more

Exploits

https://www.zerodayinitiative.com/advisories/ZDI-24-572/
+null more

Links to Mitre Att&cks

T1547.009: Shortcut Modification
+null more

Attack Patterns

CAPEC-132: Symlink Attack
+null more

Vendor Advisory

ZDI-24-572: Trend Micro Apex One Security Agent Link Following Local Privilege Escalation Vulnerability
This vulnerability allows local attackers to escalate privileges on affected installations of Trend Micro Apex One Security Agent. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.

References

SECURITY BULLETIN: May 2024 Security Bulletin for Trend Micro Apex One
A security agent link following vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations. A security agent link following vulnerability in Trend Micro Apex One and Apex One as a Service could allow a local attacker to disclose sensitive information about the agent on affected installations.

News

SECURITY BULLETIN: May 2024 Security Bulletin for Trend Micro Apex One
A security agent link following vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations. A security agent link following vulnerability in Trend Micro Apex One and Apex One as a Service could allow a local attacker to disclose sensitive information about the agent on affected installations.
IT security solution Trend Micro Apex One secured against possible attacks | heise online
The developers at Trend Micro have closed a total of seven security vulnerabilities in the Apex One protection software for Windows systems. The developers state that they have closed the vulnerabilities in the following versions
Multiple vulnerabilities in multiple Trend Micro products
Local privilege escalation due to a link following vulnerability (CVE-2024-36305) Update the software to the latest version according to the information provided by Trend Micro Incorporated.
Multiple vulnerabilities in multiple Trend Micro products
Trend Micro Incorporated has released security updates for multiple Trend Micro products. Trend Micro Incorporated has released security updates for multiple Trend Micro products.
Security Bulletin 12 Jun 2024 - Cyber Security Agency of Singapore
Security Bulletin 12 Jun 2024 Cyber Security Agency of Singapore
See 7 more articles and social media posts

CVSS V3.1

Attack Vector:Local
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI