Trend Micro patches critical flaws in its Apex Central software

Security company Trend Micro has been compelled to issue a patch for its own Apex Central software management tool after vulnerability management platform Tenable identified several security flaws.

The bugs affect all versions of Apex Central (on-premises) earlier than build 7190.

In a security bulletin, Trend Micro said of the most severe flaw, rated 9.8, “A LoadLibraryEX vulnerability in Trend Micro Apex Central could allow an unauthenticated remote attacker to load an attacker-controlled DLL into a key executable, leading to execution of attacker-supplied code under the context of SYSTEM on affected installations.”

Erik Avakian, technical counselor at Info-Tech Research Group, explained why this is an issue. “There’s a critical flaw in the management server in how one of its background services handles certain types of network messages that allows an attacker on the network to run their own code without logging in. That service will accept a message from anyone on the network and then can blindly load a Windows DLL using a standard Windows function. The problem is that the software doesn’t properly validate where that DLL is coming from.”

When this happens, he said, the affected software will run the attacker’s code, probably at the highest level of privilege. So, in these circumstances, the attacker can point Apex Central to a DLL that they control, for example, on a remote network. That could then move deeper into the corporate software environment. “In short, if this server is exposed and unpatched, it can be taken over remotely,” said Avakian.

What makes the attack particularly insidious, he said, is that attackers don’t need to log into the server or copy files onto it. “They simply can host a malicious DLL somewhere they control and instruct Apex Central to load it. Because of the flaw, Apex Central reaches out and loads the DLL itself, effectively pulling in and executing the attacker’s code without checking who asked.”

He added that the SYSTEM context was important because that means that the vulnerable service is running with maximum privileges. Thus, it would enable the attacker to carry out a wide range of activities, including modifying files, installing or disabling software, creating user accounts, or using the server as a launch point to attack other systems.

The vulnerability does not seem to be the result of recent modifications to the software. Avakian said. “Everything in the published materials indicates this flaw may have been present for some time. The advisory affects all builds below the fixed version, and there’s no indication that it was introduced recently. On the surface, this appears to be a long-standing issue that was only recently discovered and addressed.”

Neither Trend Micro nor Tenable responded to requests for comment by publication time.

In addition to this critical vulnerability, Trend Micro’s bulletin also highlighted two other high severity issues, neither of which requires authentication to be exploited. The first is a message unchecked NULL return value vulnerability in Trend Micro Apex Central that could allow a remote attacker to create a denial-of-service condition on affected installations. The second is a message out-of-bounds read vulnerability in Trend Micro Apex Central that could also allow a remote attacker to create a denial-of-service condition. All three flaws are patched in build 7190.

Trend Micro’s advisory did point out that to exploit vulnerabilities like these, the attacker would generally need access to a vulnerable machine.

However, the company advised customers to review remote access to critical systems to ensure policies and perimeter security are up-to-date. It also warned them to update to the latest builds as soon as possible.

This article originally appeared on CSOonline.Trend Micro patches critical flaws in its Apex Central software – ComputerworldRead More