JVNVU#97680506: Multiple vulnerabilities in Worry-Free Business Security Services

Overview

Worry-Free Business Security Services provided by Trend Micro Incorporated contains multiple vulnerabilities.

Products Affected

CVE-2020-24556, CVE-2020-24558

Worry-Free Business Security Services (for Windows)

CVE-2020-24559

Worry-Free Business Security Services (for macOS)

Description

Worry-Free Business Security Services provided by Trend Micro Incorporated contains multiple vulnerabilities listed below.

Improper Hard links Handling (CWE-59) - CVE-2020-24556, CVE-2020-24559

CVSS v3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score: 7.8
Out-of-Bounds Read (CWE-125) - CVE-2020-24558

CVSS v3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Base Score: 5.5

Impact

An attacker may obtain administrative privileges of the product and execute arbitrary code - CVE-2020-24556, CVE-2020-24559
An attacker may crash the product's multiple processes - CVE-2020-24558

Solution

Apply the Patch
Apply the patch according to the information provided by the developer.
The developer has released the patches listed below that contain a fix for these vulnerabilities.

Worry-Free Business Security Services (for Windows)
- 6.7.1374 / 14.2.1194
Worry-Free Business Security Services (for macOS)
- Agent 3.5.1396

Vendor Status

Vendor	Link
Trend Micro Incorporated	SECURITY BULLETIN: September 2020 Security Bulletin for Trend Micro Worry-Free Business Security and Worry-Free Business Security Services

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2020-24556
	CVE-2020-24558
	CVE-2020-24559
JVN iPedia

JVNVU#97680506 Multiple vulnerabilities in Worry-Free Business Security Services