Published:2021/02/01 Last Updated:2021/02/01
JVNVU#99814910
Multiple vulnerabilities in the installer of Trend Micro Security 2020 (Consumer)
Overview
The installer of Trend Micro Security 2020 (Consumer) provided by Trend Micro Incorporated contains multiple vulnerabilities.
Products Affected
- Premium Security 2020 for Windows v16
- Maximum Security 2020 for Windows v16
- Internet Security 2020 for Windows v16
- Antivirus+ 2020 for Windows v16
Description
The installer of Trend Micro Security 2020 (Consumer) provided by Trend Micro Incorporated contains multiple vulnerabilities listed below.
- Privilege escalation due to an improper processing in DLL search path (CWE-427) - CVE-2020-27695
CVSS v3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L Base Score: 6.3 - Privilege escalation by placing the installer in a specific Windows system directory - CVE-2020-27696
CVSS v3 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L Base Score: 5.0 - Privilege escalation by abusing Symbolic links (CWE-61) - CVE-2020-27697
CVSS v3 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L Base Score: 5.3
Impact
An attacker may obtain administrative privileges and as a result, arbitrary code may be executed.
Solution
Upgrade the software
Upgrade to the latest version according to the information provided by the developer.
According to the developer, these vulnerabilities have been already addressed in the following version.
- Trend Micro Security 2021 (version 17.x)
Vendor Status
| Vendor | Link |
| Trend Micro Incorporated | Security Bulletin: Trend Micro Security 2020 (Consumer) Local Privilege Escalation Vulnerabilities |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2020-27695 |
|
CVE-2020-27696 |
|
|
CVE-2020-27697 |
|
| JVN iPedia |
|