JVN#76257155
Trend Micro Security may insecurely load Dynamic Link Libraries
Overview
Trend Micro Security provided by Trend Micro Incorporated may insecurely load Dynamic Link Libraries.
Products Affected
- Trend Micro Security 2022/2023 17.7.1476 and earlier
- Trend Micro Security 2021 17.0.1412 and earlier
Description
Trend Micro Security provided by Trend Micro Incorporated contains an insecure DLL loading issue (CWE-427).
While the affected version of Trend Micro Security is installed and a malicious DLL is placed in a directory where some application executable resides, invoking the application executable may result in Trend Micro Security loading the malicious DLL.
Impact
Arbitrary program may be executed with the privilege of Trend Micro Security.
Solution
Update the software
Update the software to the latest version according to the information provided by the developer.
The developer has released the following versions to fix the vulnerability.
- Trend Micro Security 2022/2023 17.7.1634 or later
- Trend Micro Security 2021 17.0.1426 or later
Vendor Status
| Vendor | Link |
| Trend Micro Incorporated | Security Bulletin: Trend Micro Security DLL Hijacking |
References
-
Japan Vulnerability Notes JVNTA#91240916
Insecure DLL Loading and Command Execution Issues on Many Windows Application Programs
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Comment
This analysis assumes that the user is tricked into placing a malicious DLL file prepared by an attacker in a specific folder.
Credit
Rintaro Fujita of Nippon Telegraph and Telephone Corporation, Hiroki Hada of NTT Security (Japan) KK and Hiroki Mashiko of NTT DATA Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2023-28929 |
| JVN iPedia |
JVNDB-2023-000033 |
Update History
- 2023/05/16
- Information under the section [Description], [Impact] and [Vulnerability Analysis by JPCERT/CC] was updated.