CVE-2021-42102 – This vulnerability allows a local attacker with... (How to Fix)

Q: What is the severity of CVE-2021-42102?

CVE-2021-42102 has a CVSS score of 7.8 (HIGH). This vulnerability allows a local attacker with low-privileged code execution to escalate privileges on Trend Micro Apex One installations. It affects both on-premise Apex One and cloud-based Apex One as a Service deployments. Attackers can exploit this to gain higher system privileges than originally granted.

📋 TL;DR

This vulnerability allows a local attacker with low-privileged code execution to escalate privileges on Trend Micro Apex One installations. It affects both on-premise Apex One and cloud-based Apex One as a Service deployments. Attackers can exploit this to gain higher system privileges than originally granted.

💻 Affected Systems

Products:

Trend Micro Apex One
Trend Micro Apex One as a Service

Versions: All versions prior to the 2019 (11.0.0.2266) and 2020 (14.0.0.2266) hotfix patches

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects both on-premise and SaaS deployments. Requires local access with ability to execute low-privileged code first.

📦 What is this software?

Apex One by Trendmicro

View all CVEs affecting Apex One →

Apex One by Trendmicro

View all CVEs affecting Apex One →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with administrative privileges, enabling installation of persistent malware, data theft, and lateral movement across the network.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, install additional malware, and maintain persistence on compromised systems.

🟢

If Mitigated

Limited impact if proper endpoint security controls, least privilege principles, and network segmentation are implemented.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring initial low-privileged access, not directly exploitable over the internet.

🏢 Internal Only: HIGH - Once an attacker gains initial foothold on an internal system, this vulnerability enables significant privilege escalation within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires local access with low-privileged execution first. The vulnerability is in the DLL search path mechanism, making exploitation relatively straightforward for attackers with initial access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2019 (11.0.0.2266) and 2020 (14.0.0.2266) hotfix patches

Vendor Advisory: https://success.trendmicro.com/solution/000289229

Restart Required: Yes

Instructions:

1. Download the appropriate hotfix from Trend Micro support portal. 2. Apply the hotfix to all affected Apex One agents. 3. Restart the systems to complete the installation. 4. Verify the patch is applied successfully.

🔧 Temporary Workarounds

Restrict local user privileges

windows

Implement least privilege principles to limit local user account permissions, reducing the impact of initial low-privileged access.

Enable application whitelisting

windows

Use application control policies to prevent unauthorized code execution from non-standard locations.

🧯 If You Can't Patch

Implement strict network segmentation to isolate systems running vulnerable versions
Enhance monitoring for privilege escalation attempts and unusual process behavior

🔍 How to Verify

Check if Vulnerable:

Check Apex One agent version in Trend Micro Control Manager or via the agent interface. Versions prior to 11.0.0.2266 (2019) or 14.0.0.2266 (2020) are vulnerable.

Check Version:

Check via Trend Micro Control Manager or agent properties. No single command available as it varies by deployment.

Verify Fix Applied:

Verify agent version shows 11.0.0.2266 or higher for 2019, or 14.0.0.2266 or higher for 2020 in the Apex One management console.

📡 Detection & Monitoring

Log Indicators:

Unusual process creation from non-standard directories
Privilege escalation attempts in Windows security logs
Apex One service loading DLLs from unexpected locations

Network Indicators:

Unusual outbound connections from Apex One agent processes
Lateral movement attempts following local compromise

SIEM Query:

Process creation where parent process is Apex One agent and command line contains suspicious DLL loading patterns

📊 Metadata

CVE ID: CVE-2021-42102

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-427

Published: October 21, 2021

Last Updated: November 21, 2024

🔗 References

https://success.trendmicro.com/solution/000289229 Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-1222/ Third Party Advisory,VDB Entry
https://success.trendmicro.com/solution/000289229 Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-1222/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-42102, you might also want to check these: