Trend Micro has addressed two high-severity bugs impacting its hybrid cloud security devices. The researchers responsible for identifying the flaws have released the details and proof-of-concept (PoC) exploits.
The flaws tracked as CVE-2022-23119 and CVE-2022-23120, affect Deep Security and Cloud One workload security solutions, specifically the Linux agent feature.
The security loopholes were unearthed by researchers at Swiss-German cybersecurity firm modzero, which also published PoC exploits the same day Trend Micro released the security patches i.e., on January 19. The researchers first reported the vulnerabilities to Trend Micro in September and patches were released between October and December.
The researchers at Modzero identified that the Deep Security Agent for Linux is impacted by a directory traversal bug that could be exploited by malicious actors to read arbitrary files and a code injection issue that could be abused to escalate privileges and implement code as root. However, a threat actor requires to have access to the targeted system and exploitation is only possible if the agent has not been activated or configured.
Additionally, Modzero’s researchers noticed that a hardcoded default X.509 certificate and a corresponding private key are shipped with the agent software. The certificate is used to establish communication with the server before the agent is activated.
“The Trend Micro Deep Security Agent authenticates remote servers using mutual TLS (mTLS): Both the server and the agent identify each other by presenting a certificate. The agent software ships with a hardcoded default X.509 certificate and a corresponding private key. Until the agent is configured (‘activated’) by the server component this certificate is used in communications with the server. It is stored in the shared object file /opt/ds_agent/lib/dsa_core.so The agent software uses a certificate authority (CA) to establish the server’s identity,” researchers explained.
“When the server connects to the agent, its certificate is validated against this CA. However, the agent uses its own certificate also as a CA. As this certificate ships with a private key, it is possible for an attacker to create and sign their own server certificate, imitate a server and to send commands to the client software.”
Last week, Trend Micro informed users regarding an information disclosure bug impacting its Worry-Free Business Security small business product. However, that flaw was assigned a “low severity” rating.