CVE-2023-52091: 
Trend Micro Apex One Agent vulnerability analysis and mitigation

CVE-2023-52091 is an anti-spyware engine link following vulnerability discovered in Trend Micro Apex One that could allow local attackers to escalate privileges on affected installations. The vulnerability was reported to the vendor on August 3, 2023, and was publicly disclosed on January 10, 2024. The affected products include Trend Micro Apex One 2019 and Apex One as a Service versions up to (excluding) 14.0.12849. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (ZDI Advisory, NVD).

The specific vulnerability exists within the Anti-Spyware Engine, running within the Apex One RealTime Scan service. By creating a junction, an attacker can abuse the service to delete a file. The vulnerability is classified as CWE-59 (Improper Link Resolution Before File Access). To exploit this vulnerability, an attacker must first obtain the ability to execute low-privileged code on the target system (ZDI Advisory).

If successfully exploited, this vulnerability allows an attacker to escalate privileges and execute arbitrary code in the context of SYSTEM. This means an attacker could gain full control over the affected system, potentially leading to unauthorized access to sensitive data and system resources (ZDI Advisory).

Trend Micro has released security updates to address this vulnerability. For Apex One 2019 (On-prem), users should update to SP1 CP b12534, and for Apex One as a Service, users should apply the November 2023 Monthly Patch (202311) with Agent Version 14.0.12849. Additionally, customers are advised to review remote access to critical systems and ensure policies and perimeter security is up-to-date (Trend Micro Advisory).

The vulnerability was discovered and reported by NT AUTHORITY\ANONYMOUS LOGON working with Trend Micro's Zero Day Initiative. The coordinated disclosure process was followed, with the vulnerability being reported to the vendor on August 3, 2023, and publicly disclosed on January 10, 2024 (ZDI Advisory).