Security Bulletin: Trend Micro Security 2019 (Consumer) Incomplete SSL Server Certification Validation Vulnerability

Bulletin Date: September 16, 2020

Platform: Microsoft Windows

Assigned CVE: CVE-2020-15604 and CVE-2020-24560

CVSSv3 Score: 5.9 (Medium)

Summary

Trend Micro has been made aware of an incomplete SSL server certification validation vulnerability that affects the Trend Micro 2019 (version 15) family of consumer products.

Affected versions

Solution

Trend Micro has confirmed that the latest versions of Trend Micro Security 2020 (version 16) and the newly release 2021 (version 17) families are not affected by this vulnerability. Due to the nature of the solution, customers who are concerned about this issue are advised to upgrade to the latest version of Trend Micro Security 2021 (or 2020) to resolve the issue.

The latest version of Trend Micro Security 2021 (v17) can be found here.

Vulnerability Details

An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one.

Trend Micro has received no reports nor is aware of any actual attacks against the affected product related to this vulnerability at this time.

Acknowledgement

Trend Micro would like to thank the following individual for responsibly disclosing the issue and working with Trend Micro to help protect our customers:

• Mimura Satoshi of Ierae Security Inc.

Additional Assistance

Customers who have questions are encouraged to contact Trend Micro Technical Support for further assistance.

Technical Reference

• CVE-2020-15604: CWE-494
• CVE-2020-24560: CWE-295