[Japanese]
|
JVNDB-2023-000033
|
Trend Micro Security may insecurely load Dynamic Link Libraries
|
Trend Micro Security provided by Trend Micro Incorporated contains an insecure DLL loading issue (CWE-427).
While the affected version of Trend Micro Security is installed and a malicious DLL is placed in a directory where some application executable resides, invoking the application executable may result in Trend Micro Security loading the malicious DLL.
Rintaro Fujita of Nippon Telegraph and Telephone Corporation, Hiroki Hada of NTT Security (Japan) KK and Hiroki Mashiko of NTT DATA Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
CVSS V3 Severity: Base Metrics 8.6 (High) [IPA Score]
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVSS V2 Severity: Base Metrics 6.8 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: Partial
|
|
Trend Micro, Inc.
- Trend Micro Security 2021 17.0.1412 and earlier
- Trend Micro Security 2022 17.7.1476 and earlier
- Trend Micro Security 2023 17.7.1476 and earlier
|
|
Arbitrary program may be executed with the privilege of Trend Micro Security.
|
[Update the software]
Update the software to the latest version according to the information provided by the developer.
The developer has released the following versions to fix the vulnerability.
* Trend Micro Security 2022/2023 17.7.1634 or later
* Trend Micro Security 2021 17.0.1426 or later
The update that addresses this vulnerability is available and is automatically applied through the product's ActiveUpdate feature.
|
Trend Micro, Inc.
|
- No Mapping(CWE-Other) [IPA Evaluation]
|
- CVE-2023-28929
|
- JVN : JVN#76257155
- JVN : JVNTA#91240916
- National Vulnerability Database (NVD) : CVE-2023-28929
|
- [2023/04/14]
Web page was published
- [2023/05/16]
Overview was modified
CVSS Severity was modified
Impact was modified
- [2024/04/26]
References : Content was added
|