Pierluigi Paganini
February 03, 2022
Trend Micro released security updates to fix two high-severity vulnerabilities, tracked as CVE-2022-23119 and CVE-2022-23120, affecting some of its hybrid cloud security products. The vulnerabilities affect Deep Security and Cloud One workload security solutions.
The flaws were reported by the cybersecurity firm modzero, which also published PoC exploits the same day Trend Micro released the security fixes (on January 19).
The experts first reported the vulnerabilities to Trend Micro in September and patches were released between October and December.
The first issue is a directory traversal vulnerability that could be exploited by a local unprivileged attacker to read arbitrary files and inject and run code as `root` user. The flaw is caused by the lack of proper input sanitization in the Trend Micro Deep Security Agent, it can be exploited only if the agent has not been activated or configured.
The experts also discovered that the the agent software is shipped with a default CA and a hardcoded default X.509 certificate (and corresponding private key). The certificate is used to establish a communication with the server before the agent is activated.
“The Trend Micro Deep Security Agent authenticates remote servers using mutual TLS (mTLS): Both the server and the agent identify each other by presenting a certificate. The agent software ships with a hardcoded default X.509 certificate and a corresponding private key. Until the agent is configured (‘activated’) by the server component this certificate is used in communications with the server. It is stored in the shared object file /opt/ds_agent/lib/dsa_core.so The agent software uses a certificate authority (CA) to establish the server’s identity.” continues the advisory. “When the server connects to the agent, its certificate is validated against this CA. However, the agent uses its own certificate also as a CA. As this certificate ships with a private key it is possible for an attcker to create and sign their own server certificate, imitate a server and to send commands to the client software.”
The two flaws affect the following agent versions:
modzero researchers published all PoC exploits, tools and additional information on Github.
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Trend Micro)
[adrotate banner=”5″]
[adrotate banner=”13″]
