Bulletin Date: June 29, 2021
CVE Vulnerability Identifiers: CVE-2021-32461, CVE-2021-32462
Platform: Microsoft Windows
CVSSv3 Scores: 7.0 - 8.8
Severity Rating: High
Trend Micro has released a new version for the Trend Micro Password Manager for Windows family of consumer products which resolves two vulnerabilities related to Integer Truncation Privilege Escalation and Exposed Hazardous Function Remote Code Execution.
|Trend Micro Password Manager||18.104.22.1687 and below||Microsoft Windows||English|
|Trend Micro Password Manager||22.214.171.1243||Microsoft Windows||English|
Trend Micro has released an update via the product’s ActiveUpdate automatic update mechanism to resolve this issue. Your Trend Micro Password Manager program should receive the update automatically as long as your computer is connected to the Internet.
Customers who have not yet gotten the update can install the latest version manually to address the issue.
CVE-2021-32461: Integer Truncation Privilege Escalation
CVSSv3: 7.0: AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Trend Micro Password Manager (Consumer) version 126.96.36.1997 and below is vulnerable to an Integer Truncation Privilege Escalation vulnerability which could allow an unprivileged local attacker to trigger a buffer overflow and escalate privileges on affected installations.
CVE-2021-32462: Exposed Hazardous Function Remote Code Execution
CVSSv3: 8.8: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Trend Micro Password Manager (Consumer) version 188.8.131.527 and below is vulnerable to an Exposed Hazardous Function Remote Code Execution vulnerability which could allow an unprivileged client to manipulate the registry and escalate privileges to SYSTEM on affected installations.
Trend Micro has received no reports nor is aware of any actual attacks against the affected product related to this vulnerability at this time.
Trend Micro would like to thank the following individuals for responsibly disclosing the issue and working with Trend Micro to help protect our customers:
- Simon Zuckerbraun of Trend Micro’s Zero Day Initiative
Customers who have questions are encouraged to contact Trend Micro Technical Support for further assistance.