CVE-2022-33158: Security Bulletin: Trend Micro VPN Proxy One Pro Incorrect Permission Assignment Local Privilege Escalation Vulnerability

LAST UPDATED: JUN 15, 2022

Release Date: June 15, 2022

Trend Micro Vulnerability Identifier: CVE-2022-33158

Platform(s): Microsoft Windows

Severity Rating: 7.8

Summary

Trend Micro has released a new version of Trend Micro VPN Proxy One Pro (consumer) that resolves an incorrect permission assignment local privilege escalation vulnerability.

Affected version(s)

PRODUCT

AFFECTED VERSION(S)

PLATFORM

LANGUAGE(S)

VPN Proxy One Pro

Version 5.2.1026

Microsoft Windows

English

Solution

Trend Micro has released a version to resolve this issue:

PRODUCT

UPDATED VERSION(S)

PLATFORM

LANGUAGE(S)

VPN Proxy One Pro

Version 5.3.1056

Microsoft Windows

English

Vulnerability Details

Trend Micro VPN Proxy Pro version 5.2.1026 and below contains a vulnerability involving some overly permissive folders in a key directory which could allow a local attacker to obtain privilege escalation on an affected system.

Trend Micro has received no reports nor is aware of any actual attacks against the affected products related to this vulnerability at this time.

Mitigating Factors

None identified. Customers are advised to ensure they always have the latest version of the program.

Acknowledgement

Trend Micro would like to thank the following individual for responsibly disclosing the issue and working with Trend Micro to help protect our customers:

• Hashim Jawad (@ihack4falafel) with Trend Micro Zero Day Initiative.

Additional Assistance

Customers who have questions are encouraged to contact Trend Micro Technical Support for further assistance.

External Reference

• ZDI-CAN-16303

How helpful was this article?

• It wasn’t helpful at all.

• Somewhat helpful.

• Just okay.

• It was somewhat helpful.

• It was helpful.

• *Feedback submitted will only be used as reference for future product, service and article improvements.