CVE-2022-24680 – This vulnerability allows a local attacker with... (How to Fix)

Q: What is the severity of CVE-2022-24680?

CVE-2022-24680 has a CVSS score of 7.8 (HIGH). This vulnerability allows a local attacker with low-privileged code execution to escalate privileges by creating mount points and deleting arbitrary folders in Trend Micro security products. Affected systems include Trend Micro Apex One, Apex One as a Service, and Worry-Free Business Security installations.

📋 TL;DR

This vulnerability allows a local attacker with low-privileged code execution to escalate privileges by creating mount points and deleting arbitrary folders in Trend Micro security products. Affected systems include Trend Micro Apex One, Apex One as a Service, and Worry-Free Business Security installations.

💻 Affected Systems

Products:

Trend Micro Apex One
Trend Micro Apex One as a Service
Trend Micro Worry-Free Business Security 10.0 SP1
Trend Micro Worry-Free Business Security Services

Versions: All versions prior to patches released in February 2022

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects agent installations on endpoints. Requires local access and ability to execute low-privileged code first.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with administrative privileges, enabling data destruction, persistence mechanisms, and lateral movement.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, install malware, or access sensitive data.

🟢

If Mitigated

Limited impact if proper access controls and monitoring prevent initial low-privileged code execution.

🌐 Internet-Facing: LOW - Requires local access and initial low-privileged code execution.

🏢 Internal Only: HIGH - Once an attacker gains initial foothold on an internal system, they can escalate privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and initial low-privileged code execution. ZDI advisory suggests exploit is reliable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apex One: Hotfix 23598 or later; Worry-Free: Hotfix 23600 or later

Vendor Advisory: https://success.trendmicro.com/solution/000290464

Restart Required: Yes

Instructions:

1. Download appropriate hotfix from Trend Micro support portal. 2. Deploy hotfix to all affected endpoints. 3. Restart systems to complete installation.

🔧 Temporary Workarounds

Restrict local user privileges

windows

Limit ability of local users to execute arbitrary code through application whitelisting and least privilege principles.

Monitor for suspicious mount operations

windows

Implement monitoring for mount point creation and folder deletion operations in security logs.

🧯 If You Can't Patch

Implement strict application control policies to prevent execution of unauthorized code
Deploy endpoint detection and response (EDR) solutions to detect privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check Trend Micro agent version in Control Manager or via 'tmctl --version' command on endpoint.

Check Version:

tmctl --version

Verify Fix Applied:

Verify agent version is at or above patched versions: Apex One Hotfix 23598+, Worry-Free Hotfix 23600+.

📡 Detection & Monitoring

Log Indicators:

Unusual mount point creation events
Suspicious folder deletion operations
Privilege escalation attempts in security logs

Network Indicators:

Unusual outbound connections from Trend Micro agent processes

SIEM Query:

EventID=4688 AND ProcessName LIKE '%tm%' AND CommandLine CONTAINS 'mount' OR EventID=4663 AND ObjectName LIKE '%TrendMicro%'

📊 Metadata

CVE ID: CVE-2022-24680

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-59

Published: February 24, 2022

Last Updated: November 21, 2024

🔗 References

https://success.trendmicro.com/solution/000290464 Patch,Vendor Advisory
https://success.trendmicro.com/solution/000290486 Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-369/ Third Party Advisory,VDB Entry
https://success.trendmicro.com/solution/000290464 Patch,Vendor Advisory
https://success.trendmicro.com/solution/000290486 Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-369/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24680, you might also want to check these: