CVE-2020-24558 - OpenCVE

A vulnerability in an Trend Micro Apex One, Worry-Free Business Security 10.0 SP1 and Worry-Free Business Security Services dll may allow an attacker to manipulate it to cause an out-of-bounds read that crashes multiple processes in the product. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact Partial

AV:L/AC:L/Au:N/C:P/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apple	Macos
Microsoft	Windows
Trendmicro	Apex One Worry-free Business Security Worry-free Business Security Services

Configuration 1 [-]

AND

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

OR	cpe:2.3:a:trendmicro:apex_one:2019:::::::*
	cpe:2.3:a:trendmicro:apex_one:saas:::::::*
	cpe:2.3:a:trendmicro:worry-free_business_security:10.0:sp1::::::
	cpe:2.3:a:trendmicro:worry-free_business_security_services:-:::::::*

No data.

References

Link	Providers
https://success.trendmicro.com/solution/000263632
https://success.trendmicro.com/solution/000267260
https://www.zerodayinitiative.com/advisories/ZDI-20-1095/

History

No history.

MITRE

Status: PUBLISHED

Assigner: trendmicro

Published: 2020-09-01T18:55:27

Updated: 2024-08-04T15:19:07.400Z

Reserved: 2020-08-20T00:00:00

Link: CVE-2020-24558

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-09-01T19:15:11.933

Modified: 2021-09-16T13:43:48.120

Link: CVE-2020-24558

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Trend Micro Apex One", "vendor": "Trend Micro", "versions": [{"status": "affected", "version": "2009 (on premise), SaaS"}]}, {"product": "Trend Micro Worry-Free Business Security", "vendor": "Trend Micro", "versions": [{"status": "affected", "version": "10.0 SP1, Services (SaaS)"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in an Trend Micro Apex One, Worry-Free Business Security 10.0 SP1 and Worry-Free Business Security Services dll may allow an attacker to manipulate it to cause an out-of-bounds read that crashes multiple processes in the product. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability."}], "problemTypes": [{"descriptions": [{"description": "Improper Access Control Privilege Escalation", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-04-22T21:21:21", "orgId": "7f7bd7df-cffe-4fdb-ab6d-859363b89272", "shortName": "trendmicro"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://success.trendmicro.com/solution/000263632"}, {"tags": ["x_refsource_MISC"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-1095/"}, {"tags": ["x_refsource_MISC"], "url": "https://success.trendmicro.com/solution/000267260"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@trendmicro.com", "ID": "CVE-2020-24558", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Trend Micro Apex One", "version": {"version_data": [{"version_value": "2009 (on premise), SaaS"}]}}, {"product_name": "Trend Micro Worry-Free Business Security", "version": {"version_data": [{"version_value": "10.0 SP1, Services (SaaS)"}]}}]}, "vendor_name": "Trend Micro"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability in an Trend Micro Apex One, Worry-Free Business Security 10.0 SP1 and Worry-Free Business Security Services dll may allow an attacker to manipulate it to cause an out-of-bounds read that crashes multiple processes in the product. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Access Control Privilege Escalation"}]}]}, "references": {"reference_data": [{"name": "https://success.trendmicro.com/solution/000263632", "refsource": "MISC", "url": "https://success.trendmicro.com/solution/000263632"}, {"name": "https://www.zerodayinitiative.com/advisories/ZDI-20-1095/", "refsource": "MISC", "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-1095/"}, {"name": "https://success.trendmicro.com/solution/000267260", "refsource": "MISC", "url": "https://success.trendmicro.com/solution/000267260"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:19:07.400Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://success.trendmicro.com/solution/000263632"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-1095/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://success.trendmicro.com/solution/000267260"}]}]}, "cveMetadata": {"assignerOrgId": "7f7bd7df-cffe-4fdb-ab6d-859363b89272", "assignerShortName": "trendmicro", "cveId": "CVE-2020-24558", "datePublished": "2020-09-01T18:55:27", "dateReserved": "2020-08-20T00:00:00", "dateUpdated": "2024-08-04T15:19:07.400Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:trendmicro:apex_one:2019:*:*:*:*:*:*:*", "matchCriteriaId": "AF019D2D-C426-4D2D-A254-442CE777B41E", "vulnerable": true}, {"criteria": "cpe:2.3:a:trendmicro:apex_one:saas:*:*:*:*:*:*:*", "matchCriteriaId": "0BD39638-1D52-4FA8-BBA0-305795D7D2E0", "vulnerable": true}, {"criteria": "cpe:2.3:a:trendmicro:worry-free_business_security:10.0:sp1:*:*:*:*:*:*", "matchCriteriaId": "FFCE8717-85D2-4F4F-91DF-C6DA341C4E19", "vulnerable": true}, {"criteria": "cpe:2.3:a:trendmicro:worry-free_business_security_services:-:*:*:*:*:*:*:*", "matchCriteriaId": "36934731-5AB1-4F9A-AC28-9FB157C11217", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in an Trend Micro Apex One, Worry-Free Business Security 10.0 SP1 and Worry-Free Business Security Services dll may allow an attacker to manipulate it to cause an out-of-bounds read that crashes multiple processes in the product. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability."}, {"lang": "es", "value": "Una vulnerabilidad en una dll de Trend Micro Apex One, Worry-Free Business Security 10.0 SP1 y Worry-Free Business Security Services dll, puede permitir a un atacante manipularla para causar una lectura fuera de l\u00edmites que bloquee varios procesos en el producto. Un atacante debe primero obtener la capacidad de ejecutar c\u00f3digo poco privilegiado en el sistema de objetivo para explotar esta vulnerabilidad"}], "id": "CVE-2020-24558", "lastModified": "2021-09-16T13:43:48.120", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 3.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-09-01T19:15:11.933", "references": [{"source": "security@trendmicro.com", "tags": ["Product", "Vendor Advisory"], "url": "https://success.trendmicro.com/solution/000263632"}, {"source": "security@trendmicro.com", "tags": ["Vendor Advisory"], "url": "https://success.trendmicro.com/solution/000267260"}, {"source": "security@trendmicro.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-1095/"}], "sourceIdentifier": "security@trendmicro.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}