Severity

Medium

Analysis Summary

CVE-2021-42108; CVE-2021-42107; CVE-2021-42106; CVE-2021-42105; CVE-2021-42104; CVE-2021-42103; CVE-2021-42102; CVE-2021-42101     

Trend Micro Apex could allow a local authenticated attacker to gain elevated privileges on the system, caused by an unnecessary privilege flaw in the Security Agent. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges and execute arbitrary code in the context of SYSTEM.

CVE-2021-42012 

Trend Micro Apex One and Worry-Free Business Security could allow a local authenticated attacker to gain elevated privileges on the system, caused by a stack-based buffer overflow. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges and execute arbitrary code in the context of SYSTEM.

CVE-2021-42011 

Trend Micro Apex One could allow a local authenticated attacker to gain elevated privileges on the system, caused by an incorrect permission assignment flaw in the ApexOne Security Agent. By using a specially-crafted .DLL file, an authenticated attacker could exploit this vulnerability to gain elevated privileges and execute arbitrary code in the context of SYSTEM.

Impact

• Privilege Escalation

Affected Vendors

Trend Micro

Affected Products

• Trend Micro Apex One SaaS
• Trend Micro Worry-Free Business Security 10.0 SP1
• Trend Micro Apex One On Premise (2019)
• Trend Micro Worry-Free Business Security Services

Remediation

Refer to Trend Micro Security for patch, upgrade, or suggested workaround information.