[Japanese]

JVNDB-2021-001017

Trend Micro HouseCall for Home Networks (Windows Edition) may insecurely load Dynamic Link Libraries

Overview

HouseCall for Home Networks (Windows Edition) provided by Trend Micro Incorporated contains an issue with the DLL search path. By reading a malicious DLL placed in the folder specified by the PATH environment variable, arbitrary code with an escalated privilege may be executed (CWE-427).

Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.8 (High) [NVD Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 4.4 (Medium) [NVD Score]
  • Access Vector: Local
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products


Trend Micro, Inc.
  • HouseCall for Home Networks (Windows Edition) version 5.3.1063 and earlier

Impact

An attacker who can login to the system where the vulnerable product is installed may obtain an administrative privilege and execute arbitrary code via a malicious DLL.
Solution

[Update the Software]
Update the software to the latest version according to the information provided by the developer.
The developer states that the vulnerability was fixed in HouseCall for Home Networks (Windows Edition) version 5.3.1179.
Vendor Information

Trend Micro, Inc.
CWE (What is CWE?)

  1. Uncontrolled Search Path Element(CWE-427) [NVD Evaluation]
CVE (What is CVE?)

  1. CVE-2021-25247
References

  1. JVN : JVNVU#98209799
  2. JVN : JVNTA#91240916
  3. National Vulnerability Database (NVD) : CVE-2021-25247
Revision History

  • [2021/02/04]
      Web page was published