Security Bulletin: Trend Micro Security 2020 (Consumer) Local Privilege Escalation Vulnerabilities

Views:

Bulletin Date: November 17, 2020

Platform: Microsoft Windows

Assigned CVE: CVE-2020-27695, 27696, 27697

CVSSv3 Scores: 2.7

Severity Rating: Low

Summary

Trend Micro has released a new version of the Trend Micro Security family of consumer-focused products. This update resolves some Local Privilege Escalation vulnerabilities related to the Trend Micro product installer package.

Affected versions

PRODUCT	AFFECTED VERSIONS	PLATFORM	PLATFORM
Premium Security	2020 (v16)	Windows	English
Maximum Security	2020 (v16)	Windows	English
Internet Security	2020 (v16)	Windows	English
Antivirus+	2020 (v16)	Windows	English

Solution

PRODUCT	UPDATED BUILD(S)	PLATFORM	PLATFORM
All Trend Micro Security 2020 versions above	2021 (version 17)	Windows	English

Trend Micro has addressed these vulnerabilities in the updated installer for Trend Micro Security 2021 (version 17.x) and recommends that all customers download and upgrade to the latest version.

The latest versions of Trend Micro Security (Consumer) can be found here.

Vulnerability Details

CVE-2020-27695: Trend Micro Security 2020 (Consumer) contains a vulnerability in the installer package that could be exploited by placing a malicious DLL in a local directory which can lead to obtaining administrative privileges during the installation of the product.
CVE-2020-27696: Trend Micro Security 2020 (Consumer) contains a vulnerability in the installer package that could be exploited by placing a specific Windows system directory which can lead to obtaining administrative privileges during the installation of the product.
CVE-2020-27697: Trend Micro Security 2020 (Consumer) contains a vulnerability in the installer package that could be exploited by placing a malicious DLL in a non-protected location with high privileges (symlink attack) which can lead to obtaining administrative privileges during the installation of the product.

Trend Micro has received no reports nor is aware of any actual attacks against the affected product related to this vulnerability at this time.

Acknowledgement

Trend Micro would like to thank the following individual for responsibly disclosing the issue and working with Trend Micro to help protect our customers:

Eran Shimony of CyberArk

Additional Assistance

Customers who have questions are encouraged to contact Trend Micro Technical Support for further assistance.

Keywords: Local Privilege Escalation Vulnerabilities

This website uses cookies for website functionality and traffic analytics. Our Cookie Notice provides more information and explains how to amend your cookie settings.

LAST UPDATED: NOV 17, 2020

Bulletin Date: November 17, 2020

Platform: Microsoft Windows

Assigned CVE: CVE-2020-27695, 27696, 27697

CVSSv3 Scores: 2.7

Severity Rating: Low

Summary

Affected versions

PRODUCT	AFFECTED VERSIONS	PLATFORM	PLATFORM
Premium Security	2020 (v16)	Windows	English
Maximum Security	2020 (v16)	Windows	English
Internet Security	2020 (v16)	Windows	English
Antivirus+	2020 (v16)	Windows	English

Solution

PRODUCT	UPDATED BUILD(S)	PLATFORM	PLATFORM
All Trend Micro Security 2020 versions above	2021 (version 17)	Windows	English

Trend Micro has addressed these vulnerabilities in the updated installer for Trend Micro Security 2021 (version 17.x) and recommends that all customers download and upgrade to the latest version.

The latest versions of Trend Micro Security (Consumer) can be found here.

Vulnerability Details

CVE-2020-27695: Trend Micro Security 2020 (Consumer) contains a vulnerability in the installer package that could be exploited by placing a malicious DLL in a local directory which can lead to obtaining administrative privileges during the installation of the product.
CVE-2020-27696: Trend Micro Security 2020 (Consumer) contains a vulnerability in the installer package that could be exploited by placing a specific Windows system directory which can lead to obtaining administrative privileges during the installation of the product.
CVE-2020-27697: Trend Micro Security 2020 (Consumer) contains a vulnerability in the installer package that could be exploited by placing a malicious DLL in a non-protected location with high privileges (symlink attack) which can lead to obtaining administrative privileges during the installation of the product.

Trend Micro has received no reports nor is aware of any actual attacks against the affected product related to this vulnerability at this time.

Acknowledgement

Trend Micro would like to thank the following individual for responsibly disclosing the issue and working with Trend Micro to help protect our customers:

Eran Shimony of CyberArk

Additional Assistance

Customers who have questions are encouraged to contact Trend Micro Technical Support for further assistance.

How helpful was this article?

It was very unhelpful.
It wasn't helpful at all.
It was not helpful.
Somewhat helpful.
Just okay.
Just okay.
It was helpful.
It was somewhat helpful.
It was very helpful.
It was helpful.

Thank you for your feedback!

Feedback entity isn't available at the moment. Try again later.

Security Bulletin: Trend Micro Security 2020 (Consumer) Local Privilege Escalation Vulnerabilities

Summary

Affected versions

Solution

Vulnerability Details

Acknowledgement

Additional Assistance

Modal header

Summary

Affected versions

Solution

Vulnerability Details

Acknowledgement

Additional Assistance