Published:2020/01/17  Last Updated:2020/01/17

JVN#37183636
Trend Micro Password Manager vulnerable to information disclosure

Overview

Password Manager provided by Trend Micro Incorporated contains a vulnerability, where the private key of the root CA certificate generated within the product is accessible to non-administrative users.

Note that this vulnerability is different from JVN#49593434.

Products Affected

  • Password Manager Windows version 5.0.0.1076 and earlier
  • Password Manager MacOS versions 5.0.1047 and earlier
According to the developer, Password Manager for Android and Password Manager for iOS are not affected by this vulnerability.

Description

Password Manager provided by Trend Micro Incorporated generates a key pair and a root certificate on product installation.
The generated private key is not properly protected and any non-administrative user can retrieve the private key (CWE-200).

Impact

A malicious user who obtains the private key can generate a crafted server certificate to conduct a phishing attack to this PC's other users.

Solution

Update the Software
Update to the latest version according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
Trend Micro Incorporated Vulnerable 2020/01/17 Trend Micro Incorporated website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Base Score: 3.3
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:L/AC:L/Au:S/C:P/I:N/A:N
Base Score: 1.7
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

BlackWingCat of PinkFlyingWhale reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2019-19696
JVN iPedia JVNDB-2020-000005