Bulletin Date: November 17, 2020
Platform: Microsoft Windows
Assigned CVE: CVE-2020-27695, 27696, 27697
CVSSv3 Scores: 2.7
Severity Rating: Low
Summary
Trend Micro has released a new version of the Trend Micro Security family of consumer-focused products. This update resolves some Local Privilege Escalation vulnerabilities related to the Trend Micro product installer package.
Affected versions
| PRODUCT | AFFECTED VERSIONS | PLATFORM | PLATFORM |
|---|---|---|---|
| Premium Security | 2020 (v16) | Windows | English |
| Maximum Security | 2020 (v16) | Windows | English |
| Internet Security | 2020 (v16) | Windows | English |
| Antivirus+ | 2020 (v16) | Windows | English |
Solution
| PRODUCT | UPDATED BUILD(S) | PLATFORM | PLATFORM |
|---|---|---|---|
| All Trend Micro Security 2020 versions above | 2021 (version 17) | Windows | English |
Trend Micro has addressed these vulnerabilities in the updated installer for Trend Micro Security 2021 (version 17.x) and recommends that all customers download and upgrade to the latest version.
The latest versions of Trend Micro Security (Consumer) can be found here.
Vulnerability Details
- CVE-2020-27695: Trend Micro Security 2020 (Consumer) contains a vulnerability in the installer package that could be exploited by placing a malicious DLL in a local directory which can lead to obtaining administrative privileges during the installation of the product.
- CVE-2020-27696: Trend Micro Security 2020 (Consumer) contains a vulnerability in the installer package that could be exploited by placing a specific Windows system directory which can lead to obtaining administrative privileges during the installation of the product.
- CVE-2020-27697: Trend Micro Security 2020 (Consumer) contains a vulnerability in the installer package that could be exploited by placing a malicious DLL in a non-protected location with high privileges (symlink attack) which can lead to obtaining administrative privileges during the installation of the product.
Trend Micro has received no reports nor is aware of any actual attacks against the affected product related to this vulnerability at this time.
Acknowledgement
Trend Micro would like to thank the following individual for responsibly disclosing the issue and working with Trend Micro to help protect our customers:
- Eran Shimony of CyberArk
Additional Assistance
Customers who have questions are encouraged to contact Trend Micro Technical Support for further assistance.