Published:2021/03/05  Last Updated:2021/03/05

JVNVU#99545969
Trend Micro Security (Consumer) vulnerable to code injection

Overview

Trend Micro Security (Consumer) provided by Trend Micro Incorporated contains a code injection vulnerability.

Products Affected

  • Premium Security 2020 (v16) and 2021 (v17) for Windows
  • Maximum Security 2020 (v16) and 2021 (v17) for Windows
  • Internet Security 2020 (v16) and 2021 (v17) for Windows
  • Antivirus+ 2020 (v16) and 2021 (v17) for Windows

Description

Trend Micro Security (Consumer) provided by Trend Micro Incorporated contains a code injection vulnerability (CWE-94).

Impact

An attacker who obtained administrative privileges may execute arbitrary code and disable the protection function for the program's password/system.

Solution

Update the Software
Update to the latest version according to the information provided by the developer.
The update that addresses this vulnerability is available and is automatically applied through the product's automatic ActiveUpdate feature.

Vendor Status

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Base Score: 8.2
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)

Credit

Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solutions through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2021-25251
JVN iPedia