Published:2021/04/20  Last Updated:2021/04/20

JVNVU#92208501
Multiple vulnerabilities in Worry-Free Business Security

Overview

Worry-Free Business Security provided by Trend Micro Incorporated contains multiple vulnerabilities.

Products Affected

CVE-2020-24556, CVE-2020-24557, CVE-2020-24558

  • Worry-Free Business Security (for Windows) 10 SP1
CVE-2020-24559
  • Worry-Free Business Security (for macOS) 10 SP1

Description

Trend Micro Worry-Free Business Security provided by Trend Micro Incorporated contains multiple vulnerabilities listed below.

  • Improper Hard links Handling (CWE-59) - CVE-2020-24556, CVE-2020-24559
    CVSS v3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score: 7.8
  • Improper Access Control (CWE-284) - CVE-2020-24557
    CVSS v3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score: 7.8
  • Out-of-Bounds Read (CWE-125) - CVE-2020-24558
    CVSS v3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Base Score: 5.5

Impact

  • An attacker may obtain administrative privileges of the product and execute arbitrary code - CVE-2020-24556, CVE-2020-24559
  • An attacker may disable the security functions of the product by manipulating particular folders, abuse specific Windows functions, or conduct privilege escalation - CVE-2020-24557
  • An attacker may crash the product's multiple processes - CVE-2020-24558

Solution

Apply the Patch
Apply the patch according to the information provided by the developer.
The developer has released the patches listed below that contain a fix for these vulnerabilities.

  • Worry-Free Business Security (for Windows)
    • 10 SP1 b2228
  • Worry-Free Business Security (for macOS)
    • macOS Patch

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2020-24556
CVE-2020-24557
CVE-2020-24558
CVE-2020-24559
JVN iPedia