[Japanese]

JVNDB-2020-008931

Trend Micro Antivirus for Mac vulnerable to a privilege escalation

Overview

Antivirus for Mac provided by Trend Micro Incorporated contain a symbolic link privilege escalation vulnerability (CWE-61).

Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Trend Micro Incorporated coordinated under the Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.8 (High) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
Affected Products


Trend Micro, Inc.
  • Antivirus for Mac 2019 (v9.x)
  • Antivirus for Mac 2020 (v10.x)

Impact

An attacker who can access the product could exploit a crafted symbolic link on the system and may remove arbitrary files and folders.
Solution

[Update the software]
Apply the appropriate update according to the information provided by the developer.

* Antivirus for Mac 2019 (v9.x)
The 2019 family (Version 9.x) is no longer supported. The developer recommends users to upgrade to the latest supported version.

* Antivirus for Mac 2020 (v10.x)
The necessary patch (10.0.1803) is already available. Users of version 10.0 or above already have the patch applied through the product's automatic ActiveUpdate feature.
Vendor Information

Trend Micro, Inc.
CWE (What is CWE?)

CVE (What is CVE?)

  1. CVE-2020-25776
References

  1. JVN : JVNVU#95014999
Revision History

  • [2020/10/07]
      Web page was published

Date Public2020/10/06
Date First Published2020/10/07
Date Last Updated2020/10/07