Published:2020/11/18  Last Updated:2020/11/18

JVNVU#96249940
Trend Micro Security 2020 (Consumer) is vulnerable to arbitrary file deletion

Overview

Trend Micro Security 2020 (Consumer) provided by Trend Micro Incorporated contains an arbitrary file deletion vulnerability.
 

Products Affected

  • Premium Security 2020  for Windows v16 and earlier
  • Maximum Security 2020 for Windows v16 and earlier
  • Internet Security 2020 for Windows v16 and earlier
  • Antivirus+ 2020 for Windows v16 and earlier

Description

Trend Micro Security 2020 (Consumer) provided by Trend Micro Incorporated contains an arbitrary file deletion vulnerability that could allow an unprivileged user to manipulate the product's secure erase feature to delete files with a higher set of privileges.

Impact

An attacker who can access the product may delete arbitrary files and/or folders.

Solution

Apply the patch
Apply the appropriate patch according to the information provided by the developer.
The patch that addresses this vulnerability is available and it is automatically applied through the product’s automatic ActiveUpdate feature.

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H
Base Score: 5.3
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)

Credit

Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solutions through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2020-25775
JVN iPedia