CVE-2020-8598 - OpenCVE

Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) server contains a vulnerable service DLL file that could allow a remote attacker to execute arbitrary code on affected installations with SYSTEM level privileges. Authentication is not required to exploit this vulnerability.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Trendmicro	Apex One Worry-free Business Security Officescan

Configuration 1 [-]

OR	cpe:2.3:a:trendmicro:apex_one:2019:::::::*
	cpe:2.3:a:trendmicro:officescan:xg:::::::*
	cpe:2.3:a:trendmicro:officescan:xg:sp1::::::
	cpe:2.3:a:trendmicro:worry-free_business_security:9.0:sp3::::::
	cpe:2.3:a:trendmicro:worry-free_business_security:9.5:::::::*
	cpe:2.3:a:trendmicro:worry-free_business_security:10.0:-::::::
	cpe:2.3:a:trendmicro:worry-free_business_security:10.0:sp1::::::

References

Link	Resource
https://success.trendmicro.com/jp/solution/000244253	Patch Vendor Advisory
https://success.trendmicro.com/jp/solution/000244836	Patch Vendor Advisory
https://success.trendmicro.com/solution/000245571	Patch Vendor Advisory
https://success.trendmicro.com/solution/000245572	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: trendmicro

Published: 2020-03-18T00:30:44

Updated: 2020-03-18T00:30:44

Reserved: 2020-02-04T00:00:00

Link: CVE-2020-8598

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-03-18T01:15:12.160

Modified: 2021-07-21T11:39:23.747

Link: CVE-2020-8598

JSON object: View

Redhat Information

No data.

CWE

CWE-306

{"containers": {"cna": {"affected": [{"product": "Trend Micro OfficeScan, Trend Micro Apex One, Trend Micro Worry-Free Business Security (WFBS)", "vendor": "Trend Micro", "versions": [{"status": "affected", "version": "OfficeScan XG (12.0), Apex One 2019 (14.0), WFBS 9.0, 9.5 and 10.0"}]}], "descriptions": [{"lang": "en", "value": "Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) server contains a vulnerable service DLL file that could allow a remote attacker to execute arbitrary code on affected installations with SYSTEM level privileges. Authentication is not required to exploit this vulnerability."}], "problemTypes": [{"descriptions": [{"description": "Directory Traversal", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-03-18T00:30:44", "orgId": "7f7bd7df-cffe-4fdb-ab6d-859363b89272", "shortName": "trendmicro"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://success.trendmicro.com/solution/000245571"}, {"tags": ["x_refsource_MISC"], "url": "https://success.trendmicro.com/jp/solution/000244253"}, {"tags": ["x_refsource_MISC"], "url": "https://success.trendmicro.com/solution/000245572"}, {"tags": ["x_refsource_MISC"], "url": "https://success.trendmicro.com/jp/solution/000244836"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@trendmicro.com", "ID": "CVE-2020-8598", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Trend Micro OfficeScan, Trend Micro Apex One, Trend Micro Worry-Free Business Security (WFBS)", "version": {"version_data": [{"version_value": "OfficeScan XG (12.0), Apex One 2019 (14.0), WFBS 9.0, 9.5 and 10.0"}]}}]}, "vendor_name": "Trend Micro"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) server contains a vulnerable service DLL file that could allow a remote attacker to execute arbitrary code on affected installations with SYSTEM level privileges. Authentication is not required to exploit this vulnerability."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Directory Traversal"}]}]}, "references": {"reference_data": [{"name": "https://success.trendmicro.com/solution/000245571", "refsource": "MISC", "url": "https://success.trendmicro.com/solution/000245571"}, {"name": "https://success.trendmicro.com/jp/solution/000244253", "refsource": "MISC", "url": "https://success.trendmicro.com/jp/solution/000244253"}, {"name": "https://success.trendmicro.com/solution/000245572", "refsource": "MISC", "url": "https://success.trendmicro.com/solution/000245572"}, {"name": "https://success.trendmicro.com/jp/solution/000244836", "refsource": "MISC", "url": "https://success.trendmicro.com/jp/solution/000244836"}]}}}}, "cveMetadata": {"assignerOrgId": "7f7bd7df-cffe-4fdb-ab6d-859363b89272", "assignerShortName": "trendmicro", "cveId": "CVE-2020-8598", "datePublished": "2020-03-18T00:30:44", "dateReserved": "2020-02-04T00:00:00", "dateUpdated": "2020-03-18T00:30:44", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:trendmicro:apex_one:2019:*:*:*:*:*:*:*", "matchCriteriaId": "AF019D2D-C426-4D2D-A254-442CE777B41E", "vulnerable": true}, {"criteria": "cpe:2.3:a:trendmicro:officescan:xg:*:*:*:*:*:*:*", "matchCriteriaId": "602A0266-B586-447A-A500-1145B77053E8", "vulnerable": true}, {"criteria": "cpe:2.3:a:trendmicro:officescan:xg:sp1:*:*:*:*:*:*", "matchCriteriaId": "64600B42-4884-41F2-A683-AE1EDB79372E", "vulnerable": true}, {"criteria": "cpe:2.3:a:trendmicro:worry-free_business_security:9.0:sp3:*:*:*:*:*:*", "matchCriteriaId": "83FF66BA-6904-4D7F-944F-64896AD6CF3D", "vulnerable": true}, {"criteria": "cpe:2.3:a:trendmicro:worry-free_business_security:9.5:*:*:*:*:*:*:*", "matchCriteriaId": "6E482D0E-3CC6-4D32-AC2E-6A506066ECAB", "vulnerable": true}, {"criteria": "cpe:2.3:a:trendmicro:worry-free_business_security:10.0:-:*:*:*:*:*:*", "matchCriteriaId": "2A0EDD09-FA88-46A8-A62F-551EB253F722", "vulnerable": true}, {"criteria": "cpe:2.3:a:trendmicro:worry-free_business_security:10.0:sp1:*:*:*:*:*:*", "matchCriteriaId": "FFCE8717-85D2-4F4F-91DF-C6DA341C4E19", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) server contains a vulnerable service DLL file that could allow a remote attacker to execute arbitrary code on affected installations with SYSTEM level privileges. Authentication is not required to exploit this vulnerability."}, {"lang": "es", "value": "El servidor de Trend Micro Apex One (2019), OfficeScan XG y Worry-Free Business Security versiones (9.0, 9.5, 10.0), contienen un archivo DLL de servicio vulnerable que podr\u00eda permitir a un atacante remoto ejecutar c\u00f3digo arbitrario en instalaciones afectadas con privilegios de nivel SYSTEM. No es requerida una autenticaci\u00f3n para explotar esta vulnerabilidad."}], "id": "CVE-2020-8598", "lastModified": "2021-07-21T11:39:23.747", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-03-18T01:15:12.160", "references": [{"source": "security@trendmicro.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://success.trendmicro.com/jp/solution/000244253"}, {"source": "security@trendmicro.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://success.trendmicro.com/jp/solution/000244836"}, {"source": "security@trendmicro.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://success.trendmicro.com/solution/000245571"}, {"source": "security@trendmicro.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://success.trendmicro.com/solution/000245572"}], "sourceIdentifier": "security@trendmicro.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "nvd@nist.gov", "type": "Primary"}]}