JVN#60093979
Multiple vulnerabilities in Active Update function implemented in multiple Trend Micro products

Overview

Active Update function implemented in multiple Trend Micro products contains multiple vulnerabilities where update files and server certificates are not properly verified.

Products Affected

• Premium Security 2019 for Windows (v15) and earlier
• Maximum Security 2019 for Windows (v15) and earlier
• Internet Security 2019 for Windows (v15) and earlier
• Antivirus+ 2019 for Windows (v15) and earlier

Description

Active Update function implemented in Premium Security 2019 for Windows (v15), Maximum Security 2019 for Windows (v15), Internet Security 2019 for Windows (v15) and Antivirus+ 2019 for Windows (v15) provided by Trend Micro Incorporated contain multiple vulnerabilities listed below.

• Update files are not properly verified (CWE-494) - CVE-2020-15604

  CVSS v3	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N	Base Score: 5.9
  CVSS v2	AV:N/AC:H/Au:N/C:N/I:C/A:N	Base Score: 5.4

• Improper server certificate verification in the communication with the update server (CWE-295) - CVE-2020-24560

  CVSS v3	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N	Base Score: 5.9
  CVSS v2	AV:N/AC:H/Au:N/C:N/I:C/A:N	Base Score: 5.4

  Note that CVSS analysis of CVE-2020-15604 and CVE-2020-24560 assumes a man-in-the-middle attack being conducted by an attacker that places a malicious wireless LAN access point.

Impact

By downloading a specially crafted file, arbitrary code may be executed with SYSTEM privilege.

Solution

Update the software
Apply the appropriate update according to the information provided by the developer.

According to the developer, these vulnerabilities have been resolved in all Titanium Versions at or above 2020 (v16) and 2021 (v17).
Note the developer states that the users who still use the obsolete versions that are no longer supported are recommended to upgrade to the latest supported versions.