CVE-2024-36358
📋 TL;DR
A link following vulnerability in Trend Micro Deep Security agents allows local attackers to escalate privileges from low-privileged accounts to higher privileges. This affects Deep Security 20.x agents below build 20.0.1-3180. Attackers must first gain execution capability on the target system.
💻 Affected Systems
- Trend Micro Deep Security Agent
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with administrative/root privileges, enabling persistence, lateral movement, and data exfiltration.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install malware, or access sensitive data.
If Mitigated
Limited impact if proper patch management and least privilege principles are enforced.
🎯 Exploit Status
Exploitation requires local access and initial code execution capability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 20.0.1-3180 or later
Vendor Advisory: https://success.trendmicro.com/dcx/s/solution/000298151
Restart Required: Yes
Instructions:
1. Update Deep Security Manager to latest version. 2. Deploy updated agent packages to all endpoints. 3. Restart affected systems after agent update.
🔧 Temporary Workarounds
Restrict local user privileges
allApply least privilege principles to limit local user account capabilities.
🧯 If You Can't Patch
- Implement strict access controls and monitoring for local user activities.
- Isolate vulnerable systems from critical network segments.
🔍 How to Verify
Check if Vulnerable:
Check agent version in Deep Security Manager console or run agent diagnostic command.Check Version:
On Windows: ds_agent.exe --version. On Linux: ds_agent --versionVerify Fix Applied:
Verify agent version is 20.0.1-3180 or higher in management console.📡 Detection & Monitoring
Log Indicators:
- Unusual privilege escalation events
- Suspicious process creation from low-privileged accounts
Network Indicators:
- Unusual outbound connections from Deep Security agent processes
SIEM Query:
Process creation where parent process is ds_agent.exe and privilege level changes