Bulletin Date: September 16, 2020
Platform: Microsoft Windows
Assigned CVE: CVE-2020-15604 and CVE-2020-24560
CVSSv3 Score: 5.9 (Medium)
Trend Micro has been made aware of an incomplete SSL server certification validation vulnerability that affects the Trend Micro 2019 (version 15) family of consumer products.
|Premium Security||2019 (v15 and below)||Windows||English|
|Maximum Security||2019 (v15 and below)||Windows||English|
|Internet Security||2019 (v15 and below)||Windows||English|
|Antivirus+||2019 (v15 and below)||Windows||English|
|All Trend Micro Security versions at or above||2020 (v16) and 2021 (v17)||Windows||English|
Trend Micro has confirmed that the latest versions of Trend Micro Security 2020 (version 16) and the newly release 2021 (version 17) families are not affected by this vulnerability. Due to the nature of the solution, customers who are concerned about this issue are advised to upgrade to the latest version of Trend Micro Security 2021 (or 2020) to resolve the issue.
The latest version of Trend Micro Security 2021 (v17) can be found here.
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one.
Trend Micro has received no reports nor is aware of any actual attacks against the affected product related to this vulnerability at this time.
Trend Micro would like to thank the following individual for responsibly disclosing the issue and working with Trend Micro to help protect our customers:
- Mimura Satoshi of Ierae Security Inc.
Customers who have questions are encouraged to contact Trend Micro Technical Support for further assistance.
- CVE-2020-15604: CWE-494
- CVE-2020-24560: CWE-295