JVNVU#99904867
Multiple vulnerabilities in Worry-Free Business Security (WFBS)

Overview

Worry-Free Business Security (WFBS) provided by Trend Micro Incorporated contains multiple vulnerabilities.

Products Affected

• Worry-Free Business Security (WFBS) version 10 SP1

Description

Worry-Free Business Security (WFBS) provided by Trend Micro Incorporated contains multiple vulnerabilities listed below.

• Improper Authentication (CWE-287) - CVE-2020-24563

  CVSS v3	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	Base Score: 7.8
  CVSS v2	AV:L/AC:L/Au:N/C:P/I:P/A:P	Base Score: 4.6

• Out-of-bounds Read (CWE-125) - CVE-2020-24564, CVE-2020-24565, CVE-2020-25770, CVE-2020-25771, CVE-2020-25772

  CVSS v3	CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H	Base Score: 5.6
  CVSS v2	AV:L/AC:L/Au:S/C:P/I:P/A:P	Base Score: 4.3

• Path Traversal (CWE-22) - CVE-2020-28574

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H	Base Score: 10.0
  CVSS v2	AV:N/AC:L/Au:N/C:P/I:P/A:P	Base Score: 7.5

Impact

• A local attacker may manipulate the process of the security agent unload option (if configured). This may lead to a privilege escalation or code execution - CVE-2020-24563
• A local attacker without administrative privilege may obtain sensitive information in an environment where the agent is installed - CVE-2020-24564, CVE-2020-24565, CVE-2020-25770, CVE-2020-25771, CVE-2020-25772
• An unauthenticated attacker may bypass the authentication and modify or delete arbitrary files on the product's management console - CVE-2020-28574

Solution

Apply the patch
Apply the appropriate patch according to the information provided by the developer.
The developer has released the patch listed below that contains a fix for these vulnerabilities.

• Worry-Free Business Security (WFBS) version 10 SP1 Patch 2260