CVE-2022-35234

Vulnerability

An out-of-bounds read vulnerability exists in the User Mode Hooking Monitor Engine of Trend Micro Maximum Security, part of the Trend Micro Security 2021 and 2022 consumer product line. The issue stems from a lack of proper validation of user-supplied data, which can result in reading past the end of an allocated buffer. Affected versions include Trend Micro Security 2022 (17.7.1383 and below) [1][2].

Exploitation

To exploit this vulnerability, an attacker must first obtain the ability to execute low-privileged code on the target system. No additional user interaction is required beyond code execution at a low integrity level. The flaw is reachable locally, and the attacker can trigger the out-of-bounds read by supplying crafted data to the vulnerable engine component [1].

Impact

Successful exploitation allows an attacker to read sensitive information from other memory locations, potentially leaking data such as secrets or credentials. Additionally, the out-of-bounds read can cause a crash of the affected product. An attacker can leverage this vulnerability in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of SYSTEM [1].

Mitigation

Trend Micro has released a fix via ActiveUpdate, updating Trend Micro Security to version 17.7.1634. Users should ensure their product is updated to this version or later. No reports of active exploitation in the wild have been received at the time of disclosure [2].