CVE-2023-35695
📋 TL;DR
This vulnerability allows remote attackers to download log files containing sensitive information from Trend Micro Mobile Security (Enterprise). Attackers can access product configuration details, potentially including credentials or system information. Organizations using Trend Micro Mobile Security (Enterprise) 9.8 SP5 are affected.
💻 Affected Systems
- Trend Micro Mobile Security (Enterprise)
📦 What is this software?
Mobile Security by Trendmicro
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain administrative credentials or sensitive system information, leading to full compromise of the mobile security management infrastructure and potential lateral movement to managed devices.
Likely Case
Attackers access configuration details and operational logs, enabling reconnaissance for further attacks or exposing sensitive deployment information.
If Mitigated
With proper network segmentation and access controls, impact is limited to information disclosure without direct system compromise.
🎯 Exploit Status
Vulnerability involves simple HTTP requests to download log files; no authentication bypass or complex exploitation required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.8 SP5 Patch 1 or later
Vendor Advisory: https://success.trendmicro.com/dcx/s/solution/000293106?language=en_US
Restart Required: Yes
Instructions:
1. Download Patch 1 from Trend Micro support portal. 2. Stop Trend Micro Mobile Security services. 3. Apply the patch. 4. Restart services. 5. Verify version shows 9.8 SP5 Patch 1 or higher.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to the management console to trusted IP addresses only
Configure firewall rules to allow only specific source IPs to access Trend Micro Mobile Security management ports
Log File Access Control
windowsModify file system permissions to restrict access to log directories
Set appropriate NTFS/ACL permissions on Trend Micro log directories to prevent unauthorized access
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the management console from untrusted networks
- Monitor for unusual access patterns to log file URLs and implement alerting
🔍 How to Verify
Check if Vulnerable:
Check if Trend Micro Mobile Security (Enterprise) version is 9.8 SP5 without Patch 1 appliedCheck Version:
Check version in Trend Micro Mobile Security management console under Help > AboutVerify Fix Applied:
Verify version shows 9.8 SP5 Patch 1 or higher in the management console📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP GET requests to log file paths
- Multiple failed or successful log file download attempts from unusual sources
Network Indicators:
- HTTP requests to /log/* or similar paths from unauthorized IP addresses
- Unusual traffic patterns to management console port
SIEM Query:
source_ip NOT IN (trusted_ips) AND (url_path CONTAINS '/log/' OR url_path CONTAINS '.log') AND dest_port = [management_port]