Trend Micro fixed 2 flaws in Hybrid Cloud Security products

Trend Micro recently addressed two high-severity flaws affecting some of its hybrid cloud security products.

Trend Micro released security updates to fix two high-severity vulnerabilities, tracked as CVE-2022-23119 and CVE-2022-23120, affecting some of its hybrid cloud security products. The vulnerabilities affect Deep Security and Cloud One workload security solutions.

The flaws were reported by the cybersecurity firm modzero, which also published PoC exploits the same day Trend Micro released the security fixes (on January 19).

The experts first reported the vulnerabilities to Trend Micro in September and patches were released between October and December.

The first issue is a directory traversal vulnerability that could be exploited by a local unprivileged attacker to read arbitrary files and inject and run code as `root` user. The flaw is caused by the lack of proper input sanitization in the Trend Micro Deep Security Agent, it can be exploited only if the agent has not been activated or configured.

The experts also discovered that the the agent software is shipped with a default CA and a hardcoded default X.509 certificate (and corresponding private key). The certificate is used to establish a communication with the server before the agent is activated.

“The Trend Micro Deep Security Agent authenticates remote servers using mutual TLS (mTLS): Both the server and the agent identify each other by presenting a certificate. The agent software ships with a hardcoded default X.509 certificate and a corresponding private key. Until the agent is configured (‘activated’) by the server component this certificate is used in communications with the server. It is stored in the shared object file /opt/ds_agent/lib/dsa_core.so The agent software uses a certificate authority (CA) to establish the server’s identity.” continues the advisory. “When the server connects to the agent, its certificate is validated against this CA. However, the agent uses its own certificate also as a CA. As this certificate ships with a private key it is possible for an attcker to create and sign their own server certificate, imitate a server and to send commands to the client software.”

The two flaws affect the following agent versions:

Deep Security Agent 20.0.0-2740 for Ubuntu
Deep Security Agent 20.0.0-2921 for Ubuntu

modzero researchers published all PoC exploits, tools and additional information on Github.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Trend Micro)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.