Security Bulletin: Trend Micro Security 2020 (Consumer) Security Race Condition Arbitrary File Deletion Vulnerability

Bulletin Date: September 25, 2020

Platform: Microsoft Windows

Assigned CVE: CVE-2020-25775

CVSSv3 Score: 5.3 (AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H))

Severity Rating: Medium

Summary

The Trend Micro Security 2020 consumer family of products has released an update via ActiveUpdate to address a race condition arbitrary file deletion vulnerability.

Affected versions

Solution

Trend Micro has addressed this vulnerability via a patch that is available now through the product’s automatic Active Update feature for all versions of Trend Micro Security listed above. Customers who are up-to-date and have at least Trend Micro Security 2020 (v16) will already have the necessary patch applied. Customers who are concerned about this issue and have 2019 (v15) and below are recommended to upgrade to either 2020 (v16) or 2021 (v17).

The latest version of Trend Micro Security 2021 (v17) can be found here.

Vulnerability Details

The Trend Micro Security 2020 (v16) consumer family of products is vulnerable to a security race condition arbitrary file deletion vulnerability that could allow an unprivileged user to manipulate the product’s secure erase feature to delete files with a higher set of privileges.

Trend Micro has received no reports nor is aware of any actual attacks against the affected product related to this vulnerability at this time.

Acknowledgement

Trend Micro would like to thank the following individual for responsibly disclosing the issue and working with Trend Micro to help protect our customers:

• Abdelhamid Naceri working with Trend Micro’s Zero Day Initiative

Additional Assistance

Customers who have questions are encouraged to contact Trend Micro Technical Support for further assistance.

Technical Reference

• ZDI-CAN-10819