SB2021072812 - Multiple vulnerabilities in Trend Micro Worry-Free Business Security

Description

This security bulletin contains information about 2 vulnerabilities.

1) Arbitrary file upload (CVE-ID: CVE-2021-36741)

CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to insufficient validation of file during file upload within the product’s management console . A remote user can upload a malicious file and execute it on the server.

Note, the vulnerability is being actively exploited in the wild.

2) Buffer overflow (CVE-ID: CVE-2021-36742)

CWE-ID: CWE-119 - Memory corruption

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error. A local user can run a specially crafted program to trigger memory corruption and execute arability code with elevated privileges.

Note, the vulnerability is being actively exploited in the wild.

Remediation

Install update from vendor's website.

References

• https://success.trendmicro.com/solution/000287820
• https://files.trendmicro.com/documentation/wfbs/10.0/WFBS_100_SP1_WIN_ALL_Patch_2329.txt