Views:

Bulletin Date: June 29, 2021

CVE Vulnerability Identifiers: CVE-2021-32461, CVE-2021-32462

Platform: Microsoft Windows

CVSSv3 Scores: 7.0 - 8.8

Severity Rating: High

Summary

Trend Micro has released a new version for the Trend Micro Password Manager for Windows family of consumer products which resolves two vulnerabilities related to Integer Truncation Privilege Escalation and Exposed Hazardous Function Remote Code Execution.

Affected versions

PRODUCT AFFECTED VERSION PLATFORM LANGUAGE(S)
Trend Micro Password Manager 5.0.0.1217 and below Microsoft Windows English

Solution

PRODUCT UPDATED VERSION PLATFORM LANGUAGE(S)
Trend Micro Password Manager 5.0.0.1223 Microsoft Windows English


Trend Micro has released an update via the product’s ActiveUpdate automatic update mechanism to resolve this issue. Your Trend Micro Password Manager program should receive the update automatically as long as your computer is connected to the Internet.

Customers who have not yet gotten the update can install the latest version manually to address the issue.

Vulnerability Details

CVE-2021-32461: Integer Truncation Privilege Escalation

CVSSv3: 7.0: AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Trend Micro Password Manager (Consumer) version 5.0.0.1217 and below is vulnerable to an Integer Truncation Privilege Escalation vulnerability which could allow an unprivileged local attacker to trigger a buffer overflow and escalate privileges on affected installations.

CVE-2021-32462: Exposed Hazardous Function Remote Code Execution

CVSSv3: 8.8: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Trend Micro Password Manager (Consumer) version 5.0.0.1217 and below is vulnerable to an Exposed Hazardous Function Remote Code Execution vulnerability which could allow an unprivileged client to manipulate the registry and escalate privileges to SYSTEM on affected installations.

Trend Micro has received no reports nor is aware of any actual attacks against the affected product related to this vulnerability at this time.

Acknowledgement

Trend Micro would like to thank the following individuals for responsibly disclosing the issue and working with Trend Micro to help protect our customers:

Additional Assistance

Customers who have questions are encouraged to contact Trend Micro Technical Support for further assistance.

External References

  • ZDI-CAN-13319
  • ZDI-CAN-13363