CVE-2023-0587
📋 TL;DR
An unauthenticated remote file upload vulnerability in Trend Micro Apex One allows attackers to upload arbitrary files to the server's SampleSubmission directory. This can lead to denial of service by filling the file system with large files. All systems running the affected build are vulnerable.
💻 Affected Systems
- Trend Micro Apex One
📦 What is this software?
Apex One by Trendmicro
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service through disk space exhaustion, potentially crashing the Apex One server and disrupting security monitoring.
Likely Case
Disk space exhaustion leading to service degradation or outage of the Apex One server.
If Mitigated
Limited impact if network controls block external access and proper monitoring detects unusual file upload activity.
🎯 Exploit Status
Exploitation requires sending a specially crafted HTTP PUT request with a malformed Content-Length header to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 11111 or later
Vendor Advisory: https://success.trendmicro.com/solution/000293415
Restart Required: Yes
Instructions:
1. Log into Trend Micro Apex One console. 2. Navigate to Updates section. 3. Apply the latest security patch. 4. Restart the Apex One server service.
🔧 Temporary Workarounds
Block vulnerable endpoint
allUse firewall or web application firewall to block access to /officescan/console/html/cgi/fcgiOfcDDA.exe
# Example iptables rule for Linux: iptables -A INPUT -p tcp --dport 80 -m string --string "/officescan/console/html/cgi/fcgiOfcDDA.exe" --algo bm -j DROP
# Example Windows Firewall: New-NetFirewallRule -DisplayName "Block Apex One Vuln" -Direction Inbound -Protocol TCP -LocalPort 80 -RemoteAddress Any -Action Block -Program "%SystemRoot%\system32\svchost.exe" -Service "http"
Restrict network access
allLimit access to Apex One server to trusted management networks only
# Example: Restrict to specific IP ranges in firewall
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Apex One server from untrusted networks
- Monitor disk space usage on the Apex One server and set alerts for rapid disk consumption
🔍 How to Verify
Check if Vulnerable:
Check Apex One server build version in console or run: wmic product where "name like 'Trend Micro Apex One%'" get versionCheck Version:
wmic product where "name like 'Trend Micro Apex One%'" get versionVerify Fix Applied:
Verify build version is 11111 or higher and test that malformed Content-Length headers to the vulnerable endpoint are rejected📡 Detection & Monitoring
Log Indicators:
- Unusual file creation in \PCCSRV\TEMP\SampleSubmission directory
- HTTP PUT requests to /officescan/console/html/cgi/fcgiOfcDDA.exe with abnormal Content-Length headers
- Rapid disk space consumption alerts
Network Indicators:
- HTTP PUT requests to the vulnerable endpoint from untrusted sources
- Unusually large file uploads to the Apex One server
SIEM Query:
source="apex_one_logs" AND (uri="/officescan/console/html/cgi/fcgiOfcDDA.exe" AND method="PUT")