Published:2019/11/26  Last Updated:2019/11/27

JVNVU#94282488
Multiple vulnerabilities in multiple Trend Micro products

Overview

Multiple Trend Micro products contain multiple vulnerabilities.

Products Affected

  • Trend Micro Deep Security Manager 12.0, 11.0 and 10.0
  • Trend Micro Deep Security Agent 12.0, 11.0 and 10.0
  • Trend Micro Vulnerability Protection Manager 2.0
The developer states that Trend Micro Deep Security Agent is affected only for Windows.

Description

  • Initial LDAP communication of Trend Micro Deep Security Manager and Trend Micro Vulnerability Protection Manager may be transmitted in clear text - CVE-2019-15626
    CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N Base Score: 6.8
    CVSS v2 AV:N/AC:H/Au:N/C:C/I:N/A:N Base Score: 5.4
  • Arbitrary files may be deleted on the server that Trend Micro Deep Security Agent is installed - CVE-2019-15627
    CVSS v3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H Base Score: 6.1
    CVSS v2 AV:L/AC:L/Au:S/C:N/I:P/A:C Base Score: 5.2

Impact

  • Initial LDAP communication may be sent in clear text, resulting in information disclosure - CVE-2019-15626
  • Arbitrary files may be deleted on the server that Trend Micro Deep Security Agent is installed - CVE-2019-15627

Solution

Update the Software or Apply the Patch
Update to the latest version or apply the appropriate patch according to the information provided by the developer.

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Trend Micro Incorporated coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2019-15626
CVE-2019-15627
JVN iPedia

Update History

2019/11/27
Fixed the CVSS scores for CVE-2019-15627