CVE-2022-24678
📋 TL;DR
This vulnerability allows attackers to flood temporary log locations in Trend Micro security agents, consuming all disk space and causing denial-of-service. Affected products include Trend Micro Apex One, Apex One as a Service, Worry-Free Business Security 10.0 SP1, and Worry-Free Business Security Services agents.
💻 Affected Systems
- Trend Micro Apex One
- Trend Micro Apex One as a Service
- Trend Micro Worry-Free Business Security 10.0 SP1
- Trend Micro Worry-Free Business Security Services
📦 What is this software?
Apex One by Trendmicro
Apex One by Trendmicro
⚠️ Risk & Real-World Impact
Worst Case
Complete system unavailability due to disk exhaustion, preventing legitimate operations and potentially requiring physical intervention to restore functionality.
Likely Case
Degraded system performance leading to service disruption, failed security scans, and inability to process new security events.
If Mitigated
Minimal impact with proper monitoring and disk space management, though temporary performance degradation may occur during attack attempts.
🎯 Exploit Status
Exploitation requires ability to write to the temporary log location, which typically requires some level of access to the target system.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apex One: Hotfix 23598 or later; Worry-Free Business Security: Build 10.0.2041 or later
Vendor Advisory: https://success.trendmicro.com/solution/000290464
Restart Required: Yes
Instructions:
1. Download the appropriate hotfix from Trend Micro support portal. 2. Apply the patch to affected systems. 3. Restart the Trend Micro services or reboot the system as required.
🔧 Temporary Workarounds
Monitor and manage disk space
windowsImplement monitoring for disk usage on systems running Trend Micro agents and set up alerts for high disk utilization.
Restrict write access to log directories
windowsApply strict permissions to temporary log directories to prevent unauthorized write operations.
icacls "C:\Program Files\Trend Micro\Apex One\PCCSRV\Logs" /deny Everyone:(OI)(CI)W
🧯 If You Can't Patch
- Implement disk space monitoring with automated alerts for high utilization
- Restrict network access to Trend Micro agent management interfaces
🔍 How to Verify
Check if Vulnerable:
Check Trend Micro agent version in the console or via 'About' in the agent interface. Compare against patched versions.Check Version:
Check agent version in Trend Micro console or via Windows Services (services.msc) for Trend Micro servicesVerify Fix Applied:
Verify agent version shows patched version and monitor disk space consumption during normal operations.📡 Detection & Monitoring
Log Indicators:
- Rapid growth of log files in Trend Micro directories
- Disk space alerts from monitoring systems
- Failed Trend Micro service events
Network Indicators:
- Unusual volume of traffic to Trend Micro agent ports
- Multiple failed authentication attempts to management interfaces
SIEM Query:
source="windows" AND (EventID=2013 OR "disk space" OR "Trend Micro" AND ("failed" OR "error"))🔗 References
- https://success.trendmicro.com/solution/000290464
- https://success.trendmicro.com/solution/000290486
- https://www.zerodayinitiative.com/advisories/ZDI-22-372/
- https://success.trendmicro.com/solution/000290464
- https://success.trendmicro.com/solution/000290486
- https://www.zerodayinitiative.com/advisories/ZDI-22-372/
