Published:2020/01/17  Last Updated:2020/01/17

JVN#49593434
Trend Micro Password Manager vulnerable to information disclosure

Overview

Password Manager provided by Trend Micro Incorporated contains an information disclosure vulnerability.

Note that this vulnerability is different from JVN#37183636.

Products Affected

  • Password Manager for Windows Version 3.8.0.1103 and earlier
  • Password Manager for Mac Version 3.8.0.1052 and earlier
According to the developer, Password Manager for Android and Password Manager for iOS are not affected by this vulnerability.

Description

Password Manager provided by Trend Micro Incorporated contains an information disclosure vulnerability (CWE-200).
Under certain conditions, the information ID, password etc. managed by Password Manager are kept on the memory in plaintext. They may be retrieved when the memory scan is done.

Impact

Any user of the product or an administrator may scan the memory to obtain sensitive information.

Solution

Update the Software
Update to the latest version of software according to the information provided by the developer.
The developer informs us that this vulnerability was addressed in Password Manager for Windows Version 5.0.0.1058 and Password Manager for Mac Version 5.0.1037.

Vendor Status

Vendor Status Last Update Vendor Notes
Trend Micro Incorporated Vulnerable 2020/01/17 Trend Micro Incorporated website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Base Score: 5.6
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:L/AC:M/Au:S/C:P/I:N/A:N
Base Score: 1.5
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Comment

This analysis assumes that an attacker obtains some user's account and does memory scan.

Credit

BlackWingCat of PinkFlyingWhale reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2019-15625
JVN iPedia JVNDB-2020-000004