製品・ソフトウェアに関する情報
複数のトレンドマイクロ製品における複数の脆弱性
Title 複数のトレンドマイクロ製品における複数の脆弱性
Summary

トレンドマイクロ株式会社から、各製品向けのアップデートが公開されました。 この脆弱性情報は、製品利用者への周知を目的に、開発者が JPCERT/CC に報告し、JPCERT/CC が開発者との調整を行いました。

Possible impacts 想定される影響は各脆弱性により異なりますが、次のような影響を受ける可能性があります。詳細についてはトレンドマイクロ株式会社が提供する各アドバイザリを参照してください。<br /> <br /> <b>Apex One、Apex One SaaS</b>  <ul> <li>送信元の検証の不十分さによるローカル権限昇格 (CVE-2024-36302、CVE-2024-36303)</li> <li>Time-of-check Time-of-use (TOCTOU) 競合によるローカル権限昇格 (CVE-2024-36304)</li> <li>リンク解釈の問題によるローカル権限昇格 (CVE-2024-36305)</li> <li>ダメージクリーンナップエンジンにおけるリンク解釈の問題によるサービス運用妨害 (DoS) 攻撃 (CVE-2024-36306)</li> <li>リンク解釈の問題による情報漏えい (CVE-2024-36307)</li> <li>不適切なアクセス権限の付与によるローカル権限昇格 (CVE-2024-37289)</li> </ul> <b>Deep Security Agent</b>  <ul> <li>リンク解釈の問題によるローカル権限昇格 (CVE-2024-36358)</li> </ul> <b>IWSVA、IWSS</b>  <ul> <li>クロスサイトスクリプティングによる権限昇格 (CVE-2024-36359)</li> </ul> 
Solution

[アップデートする] トレンドマイクロ株式会社が提供する情報をもとに最新版へアップデートしてください。 [ワークアラウンドを実施する] トレンドマイクロ株式会社は、軽減策の実施も推奨しています。 詳細は、トレンドマイクロ株式会社が提供する情報をご確認ください。

Publication Date June 19, 2024, midnight
Registration Date June 20, 2024, 12:02 p.m.
Last Update June 20, 2024, 12:02 p.m.
Affected System
トレンドマイクロ
Apex One - CVE-2024-36302、CVE-2024-36303、CVE-2024-36304、CVE-2024-36305、CVE-2024-36306、CVE-2024-36307、CVE-2024-37289
Apex One SaaS - CVE-2024-36302、CVE-2024-36303、CVE-2024-36304、CVE-2024-36305、CVE-2024-36306、CVE-2024-36307、CVE-2024-37289
Deep Security Agent (Windows 版) バージョン 20.0 - CVE-2024-36358
TrendMicro InterScan Web Security Suite (IWSS) 6.5 Patch4 ビルド 3152 より前のバージョン - CVE-2024-36359
TrendMicro InterScan Web Security Virtual Appliance  (IWSVA) 6.5 SP3 Patch2 ビルド 3366 より前のバージョン - CVE-2024-36359
CVE (情報セキュリティ 共通脆弱性識別子)
ベンダー情報
その他
Change Log
No Changed Details Date of change
1 [2024年06月20日]   掲載 June 20, 2024, 11:13 a.m.

NVD Vulnerability Information
CVE-2024-36302
Summary

An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

This vulnerability is similar to, but not identical to, CVE-2024-36303.

Publication Date June 11, 2024, 7:15 a.m.
Registration Date June 11, 2024, 10 a.m.
Last Update Nov. 21, 2024, 6:22 p.m.
Related information, measures and tools
Common Vulnerabilities List
CVE-2024-36303
Summary

An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

This vulnerability is similar to, but not identical to, CVE-2024-36302.

Publication Date June 11, 2024, 7:15 a.m.
Registration Date June 11, 2024, 10 a.m.
Last Update Nov. 21, 2024, 6:22 p.m.
Affected software configurations
Configuration1 or higher or less more than less than
cpe:2.3:a:trendmicro:apex_one:*:*:*:*:saas:*:*:* 14.0 14.0.13139
Related information, measures and tools
Common Vulnerabilities List
CVE-2024-36304
Summary

A Time-of-Check Time-Of-Use vulnerability in the Trend Micro Apex One and Apex One as a Service agent could allow a local attacker to escalate privileges on affected installations.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Publication Date June 11, 2024, 7:15 a.m.
Registration Date June 11, 2024, 10 a.m.
Last Update Nov. 21, 2024, 6:22 p.m.
Related information, measures and tools
Common Vulnerabilities List
CVE-2024-36305
Summary

A security agent link following vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Publication Date June 11, 2024, 7:15 a.m.
Registration Date June 11, 2024, 10 a.m.
Last Update Nov. 21, 2024, 6:22 p.m.
Affected software configurations
Configuration1 or higher or less more than less than
cpe:2.3:a:trendmicro:apex_one:*:*:*:*:saas:*:*:* 14.0 14.0.0.12980
Related information, measures and tools
Common Vulnerabilities List
CVE-2024-36306
Summary

A link following vulnerability in the Trend Micro Apex One and Apex One as a Service Damage Cleanup Engine could allow a local attacker to create a denial-of-service condition on affected installations.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Publication Date June 11, 2024, 7:15 a.m.
Registration Date June 11, 2024, 10 a.m.
Last Update Nov. 21, 2024, 6:22 p.m.
Affected software configurations
Configuration1 or higher or less more than less than
cpe:2.3:a:trendmicro:apex_one:*:*:*:*:saas:*:*:* 14.0 14.0.0.12980
Related information, measures and tools
Common Vulnerabilities List
CVE-2024-36307
Summary

A security agent link following vulnerability in Trend Micro Apex One and Apex One as a Service could allow a local attacker to disclose sensitive information about the agent on affected installations.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Publication Date June 11, 2024, 7:15 a.m.
Registration Date June 11, 2024, 10 a.m.
Last Update Nov. 21, 2024, 6:22 p.m.
Related information, measures and tools
Common Vulnerabilities List
CVE-2024-36358
Summary

A link following vulnerability in Trend Micro Deep Security 20.x agents below build 20.0.1-3180 could allow a local attacker to escalate privileges on affected installations.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Publication Date June 11, 2024, 7:15 a.m.
Registration Date June 11, 2024, 10 a.m.
Last Update Nov. 21, 2024, 6:22 p.m.
Related information, measures and tools
Common Vulnerabilities List
CVE-2024-36359
Summary

A cross-site scripting (XSS) vulnerability in Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 could allow an attacker to escalate privileges on affected installations.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Publication Date June 11, 2024, 7:15 a.m.
Registration Date June 11, 2024, 10 a.m.
Last Update Nov. 21, 2024, 6:22 p.m.
Affected software configurations
Configuration1 or higher or less more than less than
cpe:2.3:a:trendmicro:interscan_web_security_virtual_appliance:6.5:*:*:*:*:*:*:*
Related information, measures and tools
Common Vulnerabilities List
CVE-2024-37289
Summary

An improper access control vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Publication Date June 11, 2024, 7:15 a.m.
Registration Date June 11, 2024, 10 a.m.
Last Update Nov. 21, 2024, 6:23 p.m.
Related information, measures and tools
Common Vulnerabilities List