Cybersecurity company Trend Micro has released patches and hotfixes to address a critical security flaw in Apex One and Worry-Free Business Security solutions for Windows that has been actively exploited in real-world attacks.
Tracked as CVE-2023-41179 (CVSS score: 9.1), it relates to a third-party antivirus uninstaller module that's bundled along with the software. The complete list of impacted products is as follows -
Apex One - version 2019 (on-premise), fixed in SP1 Patch 1 (B12380) Apex One as a Service - fixed in SP1 Patch 1 (B12380) and Agent version 14.0.12637 Worry-Free Business Security - version 10.0 SP1, fixed in 10.0 SP1 Patch 2495 Worry-Free Business Security Services - fixed in July 31, 2023, Monthly Maintenance ReleaseTrend Micro said that a successful exploitation of the flaw could allow an attacker to manipulate the component to execute arbitrary commands on an affected installation. However, it requires that the adversary already has administrative console access on the target system.
The company also warned that it has "observed at least one active attempt of potential exploitation of this vulnerability in the wild," making it essential that users move quickly to apply the patches.
As a workaround, it's recommending that customers limit access to the product's administration console to trusted networks.
CISA Adds Nine Flaws to KEV Catalog
The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added nine flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild -
CVE-2014-8361 (CVSS score: N/A) - Realtek SDK Improper Input Validation Vulnerability CVE-2017-6884 (CVSS score: 8.8) - Zyxel EMG2926 Routers Command Injection Vulnerability CVE-2021-3129 (CVSS score: 9.8) - Laravel Ignition File Upload Vulnerability CVE-2022-22265 (CVSS score: 7.8) - Samsung Mobile Devices Use-After-Free Vulnerability CVE-2022-31459 (CVSS score: 6.5) - Owl Labs Meeting Owl Inadequate Encryption Strength Vulnerability CVE-2022-31461 (CVSS score: 6.5) - Owl Labs Meeting Owl Missing Authentication for Critical Function Vulnerability CVE-2022-31462 (CVSS score: 8.8) - Owl Labs Meeting Owl Use of Hard-coded Credentials Vulnerability CVE-2022-31463 (CVSS score: 7.1) - Owl Labs Meeting Owl Improper Authentication Vulnerability CVE-2023-28434 (CVSS score: 8.8) - MinIO Security Feature Bypass VulnerabilityIt's worth noting that a fifth flaw impacting Owl Labs Meeting Owl (CVE-2022-31460, CVSS score: 7.4), a case of hard-coded credentials, was previously added to the KEV catalog on June 8, 2022, merely days after Modzero disclosed details of the flaws.
UPCOMING WEBINARLevel-Up SaaS Security: A Comprehensive Guide to ITDR and SSPM
Stay ahead with actionable insights on how ITDR identifies and mitigates threats. Learn about the indispensable role of SSPM in ensuring your identity remains unbreachable.
Supercharge Your Skills"By exploiting the vulnerabilities[...], an attacker can find registered devices, their data, and owners from around the world," the Swiss security consultancy firm said at the time.
"Attackers can also access confidential screenshots of whiteboards or use the Owl to get access to the owner's network. The PIN protection, which protects the Owl from unauthorized use, can be circumvented by an attacker by (at least) four different approaches."
Even more troublingly, the devices can be turned into rogue wireless network gateways to a local corporate network remotely via Bluetooth by arbitrary users and can be abused to act as a backdoor to owners' local networks. It's currently not known how these vulnerabilities are exploited in the wild.
The security weakness impacting MinIO has come under abuse in recent months, with Security Joes revealing this month that an unnamed threat actor is exploiting it in conjunction with CVE-2023-28432 (CVSS score: 7.5) to achieve unauthorized code execution on susceptible servers and drop follow-on payloads.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.