[Japanese]

JVNDB-2023-000033

Trend Micro Security may insecurely load Dynamic Link Libraries

Overview

Trend Micro Security provided by Trend Micro Incorporated contains an insecure DLL loading issue (CWE-427).
While the affected version of Trend Micro Security is installed and a malicious DLL is placed in a directory where some application executable resides, invoking the application executable may result in Trend Micro Security loading the malicious DLL.

Rintaro Fujita of Nippon Telegraph and Telephone Corporation, Hiroki Hada of NTT Security (Japan) KK and Hiroki Mashiko of NTT DATA Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.6 (High) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products


Trend Micro, Inc.
  • Trend Micro Security 2021 17.0.1412 and earlier
  • Trend Micro Security 2022 17.7.1476 and earlier
  • Trend Micro Security 2023 17.7.1476 and earlier

Impact

Arbitrary program may be executed with the privilege of Trend Micro Security.
Solution

[Update the software]
Update the software to the latest version according to the information provided by the developer.
The developer has released the following versions to fix the vulnerability.

* Trend Micro Security 2022/2023 17.7.1634 or later
* Trend Micro Security 2021 17.0.1426 or later

The update that addresses this vulnerability is available and is automatically applied through the product's ActiveUpdate feature.
Vendor Information

Trend Micro, Inc.
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2023-28929
References

  1. JVN : JVN#76257155
  2. JVN : JVNTA#91240916
  3. National Vulnerability Database (NVD) : CVE-2023-28929
Revision History

  • [2023/04/14]
      Web page was published
  • [2023/05/16]
      Overview was modified
      CVSS Severity was modified
      Impact was modified
      
  • [2024/04/26]
      References : Content was added