CVE-2023-34148 – This vulnerability in Trend Micro Apex One and ... (How to Fix)

Q: What is the severity of CVE-2023-34148?

CVE-2023-34148 has a CVSS score of 7.8 (HIGH). This vulnerability in Trend Micro Apex One and Apex One as a Service allows a local attacker with low-privileged code execution to escalate privileges and write arbitrary values to specific Trend Micro agent registry subkeys. It affects installations of these security agents where an attacker has already gained initial access.

📋 TL;DR

This vulnerability in Trend Micro Apex One and Apex One as a Service allows a local attacker with low-privileged code execution to escalate privileges and write arbitrary values to specific Trend Micro agent registry subkeys. It affects installations of these security agents where an attacker has already gained initial access.

💻 Affected Systems

Products:

Trend Micro Apex One
Trend Micro Apex One as a Service

Versions: Specific versions not detailed in advisory; check vendor advisory for exact affected versions

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires local access and ability to execute low-privileged code first. Similar but not identical to CVE-2023-34146 and CVE-2023-34147.

📦 What is this software?

Apex One by Trendmicro

View all CVEs affecting Apex One →

Apex One by Trendmicro

View all CVEs affecting Apex One →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via privilege escalation leading to complete administrative control, persistence mechanisms, and potential lateral movement across the network.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, install malware, or manipulate security agent configurations.

🟢

If Mitigated

Limited impact due to proper access controls preventing initial low-privileged code execution required for exploitation.

🌐 Internet-Facing: LOW - Requires local access and low-privileged code execution first.

🏢 Internal Only: HIGH - Once an attacker gains initial foothold on a system, this provides easy privilege escalation path.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires local access and low-privileged code execution first. Similar vulnerabilities have been weaponized in the past.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific patched versions

Vendor Advisory: https://success.trendmicro.com/dcx/s/solution/000293322?language=en_US

Restart Required: Yes

Instructions:

1. Access Trend Micro Apex One console. 2. Navigate to Security Agents > Agent Management. 3. Check for available updates. 4. Deploy security agent update to all affected endpoints. 5. Restart endpoints as required.

🔧 Temporary Workarounds

Restrict Local Access

windows

Implement strict access controls to prevent unauthorized local access to systems

Application Whitelisting

windows

Implement application control policies to prevent execution of unauthorized low-privileged code

🧯 If You Can't Patch

Implement strict least privilege access controls to prevent initial low-privileged code execution
Monitor for suspicious registry modifications to Trend Micro agent subkeys

🔍 How to Verify

Check if Vulnerable:

Check Trend Micro Apex One agent version against vendor advisory. Review registry permissions for Trend Micro agent subkeys.

Check Version:

Check agent version through Trend Micro Apex One console or agent interface

Verify Fix Applied:

Verify agent version has been updated to patched version specified in vendor advisory. Confirm registry permissions are properly secured.

📡 Detection & Monitoring

Log Indicators:

Unauthorized registry modifications to HKLM\SOFTWARE\TrendMicro\Apex One subkeys
Privilege escalation attempts from low-privileged accounts

Network Indicators:

Unusual outbound connections from systems after local privilege escalation

SIEM Query:

EventID=4657 OR EventID=4663 AND TargetObject contains "TrendMicro\\Apex One" AND SubjectUserName not in (authorized_admin_users)

📊 Metadata

CVE ID: CVE-2023-34148

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: June 26, 2023

Last Updated: December 4, 2024

🔗 References

https://success.trendmicro.com/dcx/s/solution/000293322?language=en_US Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-834/ Third Party Advisory,VDB Entry
https://success.trendmicro.com/dcx/s/solution/000293322?language=en_US Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-834/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-34148, you might also want to check these: