CVE-2021-45441 – This vulnerability in Trend Micro Apex One allo... (How to Fix)

Q: What is the severity of CVE-2021-45441?

CVE-2021-45441 has a CVSS score of 7.8 (HIGH). This vulnerability in Trend Micro Apex One allows a local attacker with initial low-privileged access to manipulate a specially crafted file and issue commands via a named pipe, leading to privilege escalation. It affects both on-premises and SaaS deployments of Apex One. Attackers must already have some foothold on the target system to exploit this flaw.

📋 TL;DR

This vulnerability in Trend Micro Apex One allows a local attacker with initial low-privileged access to manipulate a specially crafted file and issue commands via a named pipe, leading to privilege escalation. It affects both on-premises and SaaS deployments of Apex One. Attackers must already have some foothold on the target system to exploit this flaw.

💻 Affected Systems

Products:

Trend Micro Apex One
Trend Micro Apex One as a Service

Versions: Versions prior to the 2019 (aka 14.0.12602) update

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects both on-premises and SaaS deployments. The vulnerability is in the origin validation logic for certain file operations.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with initial low-privileged access could achieve SYSTEM/root-level privileges, potentially taking full control of the endpoint, disabling security controls, and moving laterally within the network.

🟠

Likely Case

An attacker who has already compromised a user account or application could elevate privileges to administrative levels, bypass security restrictions, and maintain persistence on the system.

🟢

If Mitigated

With proper endpoint security controls, network segmentation, and least privilege principles, the impact is limited to the initially compromised account with no lateral movement or persistence.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring existing local access, not directly exploitable from the internet.

🏢 Internal Only: HIGH - Once an attacker gains initial access to an internal system (via phishing, malware, etc.), this vulnerability enables significant privilege escalation and lateral movement capabilities.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires existing low-privileged code execution on the target system. The vulnerability has been publicly disclosed with technical details, making weaponization likely.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apex One 2019 (aka 14.0.12602) and later

Vendor Advisory: https://success.trendmicro.com/solution/000289996

Restart Required: Yes

Instructions:

1. Download the latest Apex One update from Trend Micro support portal. 2. Apply the update to all affected endpoints. 3. Restart systems as required by the update process. 4. Verify all endpoints are running version 14.0.12602 or later.

🔧 Temporary Workarounds

Restrict named pipe access

windows

Configure Windows security policies to restrict access to the vulnerable named pipe used by Apex One

Use Windows Group Policy or local security policy to set appropriate permissions on the \\.\pipe\TmCCSF_Comm_* pipes

Implement least privilege

windows

Ensure all user accounts run with minimal necessary privileges to limit impact of initial compromise

🧯 If You Can't Patch

Implement strict application control policies to prevent execution of unauthorized binaries
Deploy endpoint detection and response (EDR) solutions to detect privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check Apex One agent version in the Trend Micro console or locally via the agent interface. Versions below 14.0.12602 are vulnerable.

Check Version:

Check the Apex One agent version through the Trend Micro console or examine the agent installation directory properties.

Verify Fix Applied:

Confirm Apex One agent version is 14.0.12602 or higher in the Trend Micro management console or agent properties.

📡 Detection & Monitoring

Log Indicators:

Unusual named pipe creation/access events in Windows security logs
Apex One service restart events
Privilege escalation attempts in security logs

Network Indicators:

Unusual inter-process communication patterns on affected endpoints

SIEM Query:

EventID=4688 AND (ProcessName LIKE '%TmListen.exe%' OR CommandLine CONTAINS 'TmCCSF_Comm') AND NewProcessName LIKE '%cmd.exe%' OR NewProcessName LIKE '%powershell.exe%'

📊 Metadata

CVE ID: CVE-2021-45441

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-346

Published: January 10, 2022

Last Updated: November 21, 2024

🔗 References

https://success.trendmicro.com/solution/000289996 Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-017/ Third Party Advisory,VDB Entry
https://success.trendmicro.com/solution/000289996 Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-017/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45441, you might also want to check these: