CVE-2022-23119
📋 TL;DR
A directory traversal vulnerability in Trend Micro Deep Security and Cloud One - Workload Security Agent for Linux allows authenticated attackers to read arbitrary files from the file system. This affects Linux agents version 20 and below. Exploitation requires compromised access to the Deep Security Manager or an unactivated/unconfigured agent.
💻 Affected Systems
- Trend Micro Deep Security Agent
- Trend Micro Cloud One - Workload Security Agent
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with compromised DSM credentials could read sensitive system files, configuration files, or credentials stored on the filesystem, potentially leading to full system compromise.
Likely Case
An attacker with initial access could escalate privileges by reading sensitive configuration files or credentials, enabling lateral movement within the environment.
If Mitigated
With proper access controls and activated/configured agents, the attack surface is significantly reduced, limiting impact to already compromised systems.
🎯 Exploit Status
Exploitation requires authentication to DSM or access to unactivated agent. Directory traversal techniques are well-documented and simple to implement.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 20.0.1-2909 or later
Vendor Advisory: https://success.trendmicro.com/solution/000290104
Restart Required: Yes
Instructions:
1. Update Deep Security Manager to latest version. 2. Deploy updated agent packages to all affected Linux systems. 3. Restart agents after deployment.
🔧 Temporary Workarounds
Restrict DSM Access
allLimit access to Deep Security Manager to only authorized administrators and systems.
Ensure Agent Activation
linuxVerify all agents are properly activated and configured to remove unactivated attack vector.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Deep Security Manager and agents from untrusted networks.
- Monitor for unusual file access patterns from DSM or agent processes using file integrity monitoring.
🔍 How to Verify
Check if Vulnerable:
Check agent version: /opt/ds_agent/dsa_query -v | grep 'Agent version'Check Version:
/opt/ds_agent/dsa_query -vVerify Fix Applied:
Verify agent version is 20.0.1-2909 or higher: /opt/ds_agent/dsa_query -v📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in agent logs
- Multiple failed file access attempts from DSM
Network Indicators:
- Unusual outbound connections from agents following file access
SIEM Query:
source="trendmicro_agent" AND (event="file_access" OR event="directory_traversal")