How to fix CVE-2023-41179 in Trend Micro

Trend Micro recently addressed CVE-2023-41179, a severe zero-day vulnerability detected in multiple enterprise endpoint security products. This vulnerability was being actively exploited in the wild.

Here’s what you need to know:

 

What is CVE-2023-41179? 

Identified as CVE-2023-41179, a zero-day vulnerability has promptly been resolved in TrendMicro’s Endpoint Security product called Apex One. With a CVSS score of 9.1, the vulnerability carries a critical severity rating while reports also indicate that attackers have actively been exploiting the vulnerability to achieve remote code execution. Although the specific details of the vulnerability remain undisclosed, it is confirmed to reside within the third-party antivirus (AV) uninstaller module packaged with the products. 

Exploitation of this flaw can lead to the execution of unauthorized code with system privileges on a PC equipped with a susceptible security agent. To exploit CVE-2023-41179, the attacker must first gain initial access to the target system’s administrative console, which can be obtained through credential theft or physical access to a vulnerable machine. 

 

Does CVE-2023-41179 affect me?  

The vulnerability affects the following products: 

1. Apex One Version 2019 (On Premise) – fixed in SP1 Patch 1 (B12380) 
2. Apex One as a Service – fixed in SP1 Patch 1 (B12380) and Agent version 14.0.12637 
3. Worry-Free Business Security Version 10.0 fixed in 10.0 SP1 Patch 2495 
4. Worry-Free Business Security Services 10.0 SP1 (SaaS) fixed in July 31, 2023, Monthly Maintenance Release 

 

Has CVE-2023-41179 been actively exploited in the wild? 

In its report, the vendor reported that “Trend Micro has detected at least one instance of a potential exploitation attempt for CVE-2023-41179 in the wild”. It also emphasized that “Even though the exploit may necessitate meeting several specific conditions, Trend Micro strongly advises customers to promptly update to the latest builds”. 

 

 

How to fix CVE-2023-41179 

Since exploitation of this vulnerability requires an attacker to initially log into the vulnerable product’s administration console, limiting remote access to the console is a recommended mitigation measure. 

Nevertheless, applying patches and updates is the most effective and preferred action, as the vulnerability could also be exploited by attackers for lateral movement, especially if they’ve gained access to other company assets through alternative methods.  

If applying updates promptly is not feasible, it’s advisable to restrict access to the administration console. This can be achieved by allowing access only from trusted networks, thereby preventing unauthorized entry. 

The vulnerability has been addressed in Trend Micro Apex One as a Service and Worry-Free Business Security Services (SaaS) through patches released in July 2023. 

Administrators of Trend Micro Apex One On-Premise and Worry-Free Business Security should expeditiously apply the latest patches – SP1 Patch 1 (B12380) and 10.0 SP1 Patch 2495, respectively. 

 

Next steps

Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: 

1. Announcing the Attack Path Graph for end-to-end risk prioritization
2. Can you trust ChatGPT’s package recommendations?
3. MITRE ATTACK framework – Mapping techniques to CVEs  
4. Exploit maturity: an introduction  
5. IBM’s Cost of a Data Breach report 2023 – what we learned