From 56ee90568ef919c669acdc0f069acdec155615c1 Mon Sep 17 00:00:00 2001 From: Vendeta Date: Thu, 21 May 2026 19:50:46 +0300 Subject: [PATCH] Improve GHSA-rjc8-fqvx-g34c --- .../GHSA-rjc8-fqvx-g34c.json | 26 ++++++++++++++++--- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/advisories/unreviewed/2026/05/GHSA-rjc8-fqvx-g34c/GHSA-rjc8-fqvx-g34c.json b/advisories/unreviewed/2026/05/GHSA-rjc8-fqvx-g34c/GHSA-rjc8-fqvx-g34c.json index 10f09d68480f9..0dd7de890ee9a 100644 --- a/advisories/unreviewed/2026/05/GHSA-rjc8-fqvx-g34c/GHSA-rjc8-fqvx-g34c.json +++ b/advisories/unreviewed/2026/05/GHSA-rjc8-fqvx-g34c/GHSA-rjc8-fqvx-g34c.json @@ -1,19 +1,37 @@ { "schema_version": "1.4.0", "id": "GHSA-rjc8-fqvx-g34c", - "modified": "2026-05-21T15:34:09Z", + "modified": "2026-05-21T15:34:18Z", "published": "2026-05-21T15:34:09Z", "aliases": [ "CVE-2025-71215" ], - "details": "A time-of-check time-of-use vulnerability in the Trend Micro Apex One (mac) agent iCore service signature verification could allow a local attacker to escalate privileges on affected installations.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe following information is provided as informational only for CVE references, as these were addressed already via ActiveUpdate/SaaS updates in mid to late 2025 (SaaS 2507 & 2005 Yearly Release).", + "summary": "Local Privilege Escalation via iCore TOCTOU Race Condition in Trend Micro Apex One (macOS)", + "details": "### Summary\nA Time-of-Check Time-of-Use (TOCTOU) race condition vulnerability exists in the `iCore` service signature verification routine of the Trend Micro Apex One (macOS) security agent. The application fails to maintain atomic file operations during executable and configuration validation stages. \n\n### Impact\nA local attacker who has already obtained low-privileged code execution capabilities on the host endpoint can exploit this vulnerability. By strategically altering targeted symbolic links or modifying file payloads between the moment the `iCore` service validates a signature file (the check) and the moment it executes or applies it (the use), the attacker can hijack the privileged operation loop. Successful exploitation allows the attacker to execute arbitrary system code with elevated system root privileges.\n\n### Remediation\nThis vulnerability affects legacy local client deployments. It was fully addressed by the vendor in mid-to-late 2025:\n* **SaaS Deployments:** Upgraded automatically starting with the **SaaS 2507** cloud tenant milestone.\n* **On-Premise Managed Agents:** Ensure clients have synchronized via ActiveUpdate to receive the **2005 Yearly Release** updates (or newer engine/signature versions equivalent to Patch Build 14136).", "severity": [ { "type": "CVSS_V3", - "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "Trend_Micro_Apex_One_(macOS-Security-Agent)" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ] + } + ] } ], - "affected": [], "references": [ { "type": "ADVISORY",