[Japanese]

JVNDB-2020-000064

Multiple vulnerabilities in Active Update function implemented in multiple Trend Micro products

Overview

Active Update function implemented in Premium Security 2019 for Windows (v15), Maximum Security 2019 for Windows (v15), Internet Security 2019 for Windows (v15) and Antivirus+ 2019 for Windows (v15) provided by Trend Micro Incorporated contain multiple vulnerabilities listed below.
* Update files are not properly verified (CWE-494) - CVE-2020-15604
* Improper server certificate verification in the communication with the update server (CWE-295) - CVE-2020-24560

Satoshi Mimura of IERAE SECURITY INC. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.9 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 5.4 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Complete
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2020-15604


CVSS V3 Severity:
Base Metrics: 5.9 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics: 5.4 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Complete
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2020-24560

Note that CVSS analysis of CVE-2020-15604 and CVE-2020-24560 assumes a man-in-the-middle attack being conducted by an attacker that places a malicious wireless LAN access point.
Affected Products


Trend Micro, Inc.
  • Antivirus + Security 2019 for Windows (v15) and earlier
  • Internet Security 2019 for Windows (v15) and earlier
  • Trend Micro Maximum Security 2019 for Windows (v15) and earlier
  • Trend Micro Premium Security 2019 for Windows (v15) and earlier

According to the developer, Active Update function implemented in other products are fixed and not affected by these vulnerabilities.
Impact

By downloading a specially crafted file, arbitrary code may be executed with SYSTEM privilege.
Solution

[Update the software]
Apply the appropriate update according to the information provided by the developer.

According to the developer, these vulnerabilities have been resolved in all Titanium Versions at or above 2020 (v16) and 2021 (v17).
Note the developer states that the users who still use the obsolete versions that are no longer supported are recommended to upgrade to the latest supported versions.
Vendor Information

Trend Micro, Inc.
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2020-15604
  2. CVE-2020-24560
References

  1. JVN : JVN#60093979
  2. National Vulnerability Database (NVD) : CVE-2020-15604
  3. National Vulnerability Database (NVD) : CVE-2020-24560
Revision History

  • [2020/09/23]
      Web page was published