Published:2020/11/24  Last Updated:2020/11/24

JVNVU#94694991
Multiple vulnerabilities in Trend Micro Antivirus for Mac

Overview

Antivirus for Mac provided by Trend Micro Incorporated contains multiple vulnerabilities.

Products Affected

CVE-2020-25778, CVE-2020-25779, CVE-2020-27014, CVE-2020-27015

  • Antivirus for Mac 2019 (v9.x)
  • Antivirus for Mac 2020 (v10.x)
CVE-2020-27013
  • Antivirus for Mac 2020 (v10.x)

Description

Antivirus for Mac provided by Trend Micro Incorporated contains multiple vulnerabilities listed below.

  • Memory information disclosure (CWE-200) - CVE-2020-25778
    CVSS v3 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N Base Score: 6.0
  • Bypass web threat protection - CVE-2020-25779
    CVSS v3 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N Base Score: 3.2
  • Information disclosure (CWE-200) - CVE-2020-27013
    CVSS v3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Base Score: 4.4
  • Time-Of-Check Time-Of-Use race condition in web threat protection (CWE-362) - CVE-2020-27014
    CVSS v3 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Base Score: 8.2
  • Information disclosure by error message (CWE-209) - CVE-2020-27015
    CVSS v3 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N Base Score: 6.0

Impact

  • An attacker who obtained administrative privileges may obtain and/or alter user information - CVE-2020-25778
  • The malicious website compromised by Internationalized Domain Name homograph attack may be added to the approved websites list of the product's Web Threat Protection feature - CVE-2020-25779
  • An attacker with a privilege to execute a command may obtain and/or alter sensitive information - CVE-2020-27013
  • An attacker who obtained administrative privileges may cause a kernel panic or a system crash - CVE-2020-27014
  • An attacker who obtained administrative privileges may obtain kernel pointers and/or debug messages - CVE-2020-27015

Solution

Upgrate the software
Upgrade to the latest version according to the information provided by the developer.

  • Antivirus for Mac 2019 (v9.x)
    • The 2019 family (Version 9.x) is no longer supported. The developer recommends users to upgrade to the latest supported version (2021 v11).

Apply the patch
Apply the appropriate patch according to the information provided by the developer.

  • Antivirus for Mac 2020 (v10.x)
    • The patch that addresses these vulnerabilities is available and it is automatically applied through the product’s automatic ActiveUpdate feature.

Vendor Status

Vendor Link
Trend Micro Incorporated Security Bulletin: Trend Micro Antivirus for Mac (Consumer) Error Message Information Disclosure Vulnerability
Security Bulletin: Trend Micro Antivirus for Mac 2020 (Consumer) Bypass Web Threat Protection via Internationalized Domain Name Homograph Attack (Puny-code) Vulnerability
Security Bulletin: Trend Micro Antivirus for Mac Improper Access Control Information Disclosure Vulnerability
Security Bulletin: Trend Micro Antivirus for Mac Web Threat Protection Blocklist Race Condition Vulnerability
Security Bulletin: Trend Micro Antivirus for Mac Error Message Information Disclosure Vulnerability

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2020-25778
CVE-2020-25779
CVE-2020-27013
CVE-2020-27014
CVE-2020-27015
JVN iPedia