JVN#49593434
Trend Micro Password Manager vulnerable to information disclosure
Overview
Password Manager provided by Trend Micro Incorporated contains an information disclosure vulnerability.
Note that this vulnerability is different from JVN#37183636.
Products Affected
- Password Manager for Windows Version 3.8.0.1103 and earlier
- Password Manager for Mac Version 3.8.0.1052 and earlier
Description
Password Manager provided by Trend Micro Incorporated contains an information disclosure vulnerability (CWE-200).
Under certain conditions, the information ID, password etc. managed by Password Manager are kept on the memory in plaintext. They may be retrieved when the memory scan is done.
Impact
Any user of the product or an administrator may scan the memory to obtain sensitive information.
Solution
Update the Software
Update to the latest version of software according to the information provided by the developer.
The developer informs us that this vulnerability was addressed in Password Manager for Windows Version 5.0.0.1058 and Password Manager for Mac Version 5.0.1037.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Trend Micro Incorporated | Vulnerable | 2020/01/17 | Trend Micro Incorporated website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Comment
This analysis assumes that an attacker obtains some user's account and does memory scan.
Credit
BlackWingCat of PinkFlyingWhale reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2019-15625 |
| JVN iPedia |
JVNDB-2020-000004 |