[Japanese]

JVNDB-2020-000004

Trend Micro Password Manager vulnerable to information disclosure

Overview

Password Manager provided by Trend Micro Incorporated contains an information disclosure vulnerability (CWE-200).
Under certain conditions, the information ID, password etc. managed by Password Manager are kept on the memory in plaintext. They may be retrieved when the memory scan is done.

Note that this vulnerability is different from JVN#37183636.

BlackWingCat of PinkFlyingWhale reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.6 (Medium) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 1.5 (Low) [IPA Score]
  • Access Vector: Local
  • Access Complexity: Medium
  • Authentication: Single Instance
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products


Trend Micro, Inc.
  • Password Manager for Windows Version 3.8.0.1103 and earlier
  • Password Manager for Mac Version 3.8.0.1052 and earlier

According to the developer, Password Manager for Android and Password Manager for iOS are not affected by this vulnerability.
Impact

Any user of the product or an administrator may scan the memory to obtain sensitive information.
Solution

[Update the Software]
Update to the latest version of software according to the information provided by the developer.
The developer informs us that this vulnerability was addressed in Password Manager for Windows Version 5.0.0.1058 and Password Manager for Mac Version 5.0.1037.
Vendor Information

Trend Micro, Inc.
CWE (What is CWE?)

  1. Information Exposure(CWE-200) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2019-15625
References

  1. JVN : JVN#49593434
Revision History

  • [2020/01/17]
      Web page was published