CVE-2022-37348

Vulnerability

Trend Micro Security 2021 and 2022 (Consumer) versions 17.7.1383 and below are vulnerable to an out-of-bounds read information disclosure vulnerability within the User Mode Hooking Monitor Engine [1][2]. The issue arises from insufficient validation of user-supplied data, allowing a read past the end of an allocated buffer [1]. This vulnerability is distinct from CVE-2022-37347 but shares similar characteristics.

Exploitation

An attacker must first obtain the ability to execute low-privileged code on the target system to exploit this vulnerability [1]. No user interaction beyond executing the low-privileged code is required; the flaw can be triggered from the local context without additional privileges [1][2]. The sequence involves supplying crafted data to the affected engine, resulting in a memory read beyond the intended buffer boundary.

Impact

Successful exploitation allows the attacker to read sensitive information from other memory locations and can cause a crash of the affected application [2]. The CVSSv3 score of 4.4 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L) reflects limited confidentiality and availability impact [1][2]. An attacker could leverage this information disclosure in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of SYSTEM [1].

Mitigation

Trend Micro has released an update via ActiveUpdate to version 17.7.1634 to resolve the issue [2]. The fix was included in releases starting July 08, 2022 [2]. No workarounds are necessary; users should ensure their product is updated via the built-in update mechanism. Trend Micro reports no active exploitation at the time of disclosure [2].