Published:2021/04/20  Last Updated:2021/04/20

JVNVU#93009588
Memory Exhaustion Denial-of-Service (DoS) vulnerability in Trend Micro Scan Engine

Overview

Virus Scan API (VSAPI) or Advanced Threat Scan Engine (ATSE) provided by Trend Micro Incorporated contain a denial-of-service (DoS) vulnerability due to its uncontrolled memory consumption issue.

Products Affected

  • Applications that include the Virus Scan API (VSAPI) or Advanced Threat Scan Engine (ATSE)
For more information, refer to the information provided by the developer.

Description

Virus Scan API (VSAPI) and Advanced Threat Scan Engine (ATSE) provided by Trend Micro Incorporated allows an attacker to cause uncontrolled memory consumption (CWE-400) by placing a specially crafted file into the system. This issue potentially leads to disabling of the scanning functionality within the application.

Impact

When a specially crafted file is placed into the system by an attacker with permission to save files on the computer where an application that includes Trend Micro Scan Engine is running, the application's scanning functionality may be disabled due to a memory exhaustion.

Solution

Apply the update or the patch
Apply the appropriate update or the patch according to the information provided by the developer.

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2021-25224
CVE-2021-25225
CVE-2021-25226
CVE-2021-25227
CVE-2021-25252
JVN iPedia