JVNVU#98074915
Trend Micro Password Manager may insecurely load Dynamic Link Libraries
Overview
Password Manager provided by Trend Micro Incorporated may insecurely load Dynamic Link Libraries.
Products Affected
- Password Manager 5.x for Windows prior to versions 5.0.0.1217
Description
Password Manager provided by Trend Micro Incorporated contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).
Impact
During the installation of the product, arbitrary program may be executed with the privilege of the user invoking the installer.
Solution
Update the Software
If the product is already installed, update to the latest version according to the information provided by the developer.
The update that addresses this vulnerability is available and is automatically applied through the product's ActiveUpdate automatic update feature.
The issue is addressed in the following version:
- Password Manager for Windows 5.0.0.1217
Use the latest version when installing the product.
Vendor Status
| Vendor | Link |
| Trend Micro Incorporated | Security Bulletin: Trend Micro Password Manager (Consumer) DLL Hijacking Vulnerability |
References
-
Japan Vulnerability Notes JVNTA#91240916
Insecure DLL Loading and Command Execution Issues on Many Windows Application Programs
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Comment
This analysis assumes that the user is tricked into placing a malicious DLL file prepared by an attacker in a specific folder.
Credit
Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2021-28647 |
| JVN iPedia |
|