CVE-2022-37347

Vulnerability

The vulnerability is an out-of-bounds read in Trend Micro Security 2021 and 2022 (Consumer), specifically within the User Mode Hooking Monitor Engine [1]. Affected versions include Trend Micro Security 2022 (17.7.1383 and below) [2]. The issue results from a lack of proper validation of user-supplied data, leading to a read past the end of an allocated buffer [1].

Exploitation

An attacker must first obtain the ability to execute low-privileged code on the target system [1]. No user interaction beyond executing the code is required [1]. The attacker can then trigger the out-of-bounds read to disclose sensitive information from other memory locations, and may also cause a crash [1][2]. Trend Micro has received no reports of active attacks [2].

Impact

Successful exploitation allows an attacker to read sensitive information from other memory locations, leading to information disclosure [1][2]. Additionally, the vulnerability can cause a denial-of-service condition via a crash [1][2]. An attacker can leverage this information disclosure in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of SYSTEM [1].

Mitigation

Trend Micro released a fix via ActiveUpdate; the fixed version is 17.7.1634 for Trend Micro Security 2022 on Microsoft Windows [2]. The update resolves the out-of-bounds read issue [2]. No workaround is required if the update is applied [2].