CVE-2023-34146 – This vulnerability in Trend Micro Apex One and ... (How to Fix)

Q: What is the severity of CVE-2023-34146?

CVE-2023-34146 has a CVSS score of 7.8 (HIGH). This vulnerability in Trend Micro Apex One and Apex One as a Service allows a local attacker with low-privileged code execution to escalate privileges and write arbitrary values to specific Trend Micro agent registry subkeys. It affects installations of these security products where an attacker has already gained initial access to the system.

📋 TL;DR

This vulnerability in Trend Micro Apex One and Apex One as a Service allows a local attacker with low-privileged code execution to escalate privileges and write arbitrary values to specific Trend Micro agent registry subkeys. It affects installations of these security products where an attacker has already gained initial access to the system.

💻 Affected Systems

Products:

Trend Micro Apex One
Trend Micro Apex One as a Service

Versions: Specific versions not specified in advisory - check vendor documentation

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects both on-premises and SaaS deployments. Requires local access and ability to execute low-privileged code first.

📦 What is this software?

Apex One by Trendmicro

View all CVEs affecting Apex One →

Apex One by Trendmicro

View all CVEs affecting Apex One →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through privilege escalation leading to complete administrative control, persistence mechanisms, and potential lateral movement across the network.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, install additional malware, or modify system configurations to maintain persistence.

🟢

If Mitigated

Limited impact due to proper access controls preventing initial low-privileged code execution and network segmentation limiting lateral movement.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring initial access to the system.

🏢 Internal Only: HIGH - Once an attacker gains initial access to an internal system, this vulnerability enables privilege escalation and further compromise.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires local access and low-privileged code execution first. Similar to CVE-2023-34147 and CVE-2023-34148 but not identical.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific patched versions

Vendor Advisory: https://success.trendmicro.com/dcx/s/solution/000293322?language=en_US

Restart Required: Yes

Instructions:

1. Review Trend Micro advisory 000293322. 2. Update Apex One agent to latest version. 3. Restart affected systems. 4. Verify patch installation.

🔧 Temporary Workarounds

Restrict local user privileges

windows

Implement least privilege principle to prevent initial low-privileged code execution

Registry permissions hardening

windows

Restrict write access to Trend Micro registry keys to trusted users only

reg add "HKLM\SOFTWARE\TrendMicro\Apex One" /v "Permissions" /t REG_SZ /d "Administrators:F" /f

🧯 If You Can't Patch

Implement strict endpoint security controls to prevent initial low-privileged code execution
Monitor for suspicious registry modifications to Trend Micro keys and investigate any unauthorized changes

🔍 How to Verify

Check if Vulnerable:

Check Apex One agent version against patched versions in Trend Micro advisory 000293322

Check Version:

Check Apex One console or agent properties for version information

Verify Fix Applied:

Verify agent version is updated to patched version and monitor for successful agent restarts

📡 Detection & Monitoring

Log Indicators:

Unauthorized registry modifications to HKLM\SOFTWARE\TrendMicro keys
Unexpected privilege escalation events
Apex One agent service restarts or failures

Network Indicators:

Unusual outbound connections from Apex One agent processes
Lateral movement attempts from previously compromised systems

SIEM Query:

EventID=4657 OR EventID=4663 AND TargetObject:"*TrendMicro*" AND AccessMask:0x2

📊 Metadata

CVE ID: CVE-2023-34146

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: June 26, 2023

Last Updated: December 4, 2024

🔗 References

https://success.trendmicro.com/dcx/s/solution/000293322?language=en_US Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-832/ Third Party Advisory,VDB Entry
https://success.trendmicro.com/dcx/s/solution/000293322?language=en_US Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-832/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-34146, you might also want to check these: