JVNVU#98209799
Trend Micro HouseCall for Home Networks (Windows Edition) may insecurely load Dynamic Link Libraries
Overview
Trend Micro HouseCall for Home (Windows Edition) by Trend Micro Incorporated may insecurely load Dynamic Link Libraries.
Products Affected
- HouseCall for Home Networks (Windows Edition) version 5.3.1063 and earlier
Description
HouseCall for Home Networks (Windows Edition) provided by Trend Micro Incorporated contains an issue with the DLL search path. By reading a malicious DLL placed in the folder specified by the PATH environment variable, arbitrary code with an escalated privilege may be executed (CWE-427).
Impact
An attacker who can login to the system where the vulnerable product is installed may obtain an administrative privilege and execute arbitrary code via a malicious DLL.
Solution
Update the Software
Update the software to the latest version according to the information provided by the developer.
The developer states that the vulnerability was fixed in HouseCall for Home Networks (Windows Edition) version 5.3.1179.
Vendor Status
| Vendor | Link |
| Trend Micro Incorporated | Security Bulletin: Trend Micro HouseCall for Home Networks DLL Hijacking Vulnerability |
References
-
Japan Vulnerability Notes JVNTA#91240916
Insecure DLL Loading and Command Execution Issues on Many Windows Application Programs
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Comment
This analysis assumes that the user is tricked into placing a malicious DLL file prepared by an attacker in a specific folder.
Credit
Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2021-25247 |
| JVN iPedia |
|