CVE-2021-45442 – Trend Micro Worry-Free Business Security Link Following Denial-of-Service Vulnerability
https://notcve.org/view.php?id=CVE-2021-45442
A link following denial-of-service vulnerability in Trend Micro Worry-Free Business Security (on prem only) could allow a local attacker to overwrite arbitrary files in the context of SYSTEM. This is similar to, but not the same as CVE-2021-44024. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. Una vulnerabilidad de denegación de servicio en Trend Micro Worry-Free Business Security (sólo en prem) podría permitir a un atacante local sobrescribir archivos arbitrarios en el contexto de SYSTEM. Esto es similar, pero no igual, a CVE-2021-44024. • https://success.trendmicro.com/solution/000289996 https://www.zerodayinitiative.com/advisories/ZDI-22-015 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVE-2021-45441 – Trend Micro Apex One Origin Validation Error Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2021-45441
A origin validation error vulnerability in Trend Micro Apex One (on-prem and SaaS) could allow a local attacker drop and manipulate a specially crafted file to issue commands over a certain pipe and elevate to a higher level of privileges. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. Una vulnerabilidad de error de comprobación de origen en Trend Micro Apex One (on-prem y SaaS) podría permitir a un atacante local soltar y manipular un archivo especialmente diseñado para emitir comandos a través de una determinada tubería y elevarse a un nivel superior de privilegios. Nota: un atacante debe obtener primero la capacidad de ejecutar código poco privilegiado en el sistema de destino para poder explotar esta vulnerabilidad This vulnerability allows local attackers to escalate privileges on affected installations of Trend Micro Apex One Security Agent. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Apex One NT RealTime Scan service. • https://success.trendmicro.com/solution/000289996 https://www.zerodayinitiative.com/advisories/ZDI-22-017 • CWE-346: Origin Validation Error •
CVE-2021-45440 – Trend Micro Worry-Free Business Security Unnecessary Privileges Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2021-45440
A unnecessary privilege vulnerability in Trend Micro Apex One and Trend Micro Worry-Free Business Security 10.0 SP1 (on-prem versions only) could allow a local attacker to abuse an impersonation privilege and elevate to a higher level of privileges. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. Una vulnerabilidad de privilegios no necesarios en Trend Micro Apex One y Trend Micro Worry-Free Business Security versión 10.0 SP1 (sólo en las versiones on-prem) podría permitir a un atacante local abusar de un privilegio de suplantación y elevar a un nivel superior de privilegios. Nota: un atacante debe obtener primero la capacidad de ejecutar código poco privilegiado en el sistema de destino para poder explotar esta vulnerabilidad This vulnerability allows local attackers to escalate privileges on affected installations of Trend Micro Worry-Free Business Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Security Server. • https://success.trendmicro.com/solution/000289996 https://www.zerodayinitiative.com/advisories/ZDI-22-016 • CWE-269: Improper Privilege Management •
CVE-2021-40828 – TLS hostname validation issues within AWS IoT Device SDKs on Windows
https://notcve.org/view.php?id=CVE-2021-40828
Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.3.3), Python (versions prior to 1.5.18), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.1) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on Windows. This issue has been addressed in aws-c-io submodule versions 0.9.13 onward. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.3.3 on Microsoft Windows. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.5.18 on Microsoft Windows. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.12.7 on Microsoft Windows. • https://github.com/aws/aws-iot-device-sdk-cpp-v2 https://github.com/aws/aws-iot-device-sdk-java-v2 https://github.com/aws/aws-iot-device-sdk-js-v2 https://github.com/aws/aws-iot-device-sdk-python-v2 https://github.com/awslabs/aws-c-io • CWE-295: Improper Certificate Validation •
CVE-2021-23139
https://notcve.org/view.php?id=CVE-2021-23139
A null pointer vulnerability in Trend Micro Apex One and Worry-Free Business Security 10.0 SP1 could allow an attacker to crash the CGI program on affected installations. Una vulnerabilidad de puntero null en Trend Micro Apex One y Worry-Free Business Security versión 10.0 SP1, podría permitir a un atacante bloquear el programa CGI en las instalaciones afectadas • https://success.trendmicro.com/solution/000289229 https://success.trendmicro.com/solution/000289230 • CWE-476: NULL Pointer Dereference •