Release Date: January 16, 2020
CVE Vulnerability Identifier: CVE-2019-15625
JVN Identifier (JPCERT): 49593434
Platform: Windows, macOS
CVSS 3.0 Score: 5.5
Severity Rating: Medium
Summary
Trend Micro has released updated versions of Trend Micro Password Manager for Windows and macOS which resolve a memory usage vulnerability that if exploited, could allow an attacker try and extract information from a vulnerable system.
Affected versions
Product | Affected Versions | Platform | Language(s) |
---|---|---|---|
Password Manager | 3.8.0.1103 and below | Microsoft Windows | English, Japanese |
3.8.0.1052 and below | macOS | English, Japanese |
Solution
Product | Updated Build | Platform | Language(s) |
---|---|---|---|
Password Manager | 5.0.1058 | Microsoft Windows | English, Japanese |
5.0.1037 | macOS | English, Japanese |
Trend Micro has addressed these vulnerabilities via a patch that is available now through the product’s automatic ActiveUpdate feature for all versions of Trend Micro Password Manager listed above. Customers who have updated to the latest version of Password Manager (5.x) listed above are protected.
Vulnerability Details
This patch includes mitigations for the following vulnerability:
- CVE-2019-15625: A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information. The memory handling process of Password Manager has been enhanced to protect against these types of exploits.
Trend Micro has received no reports nor is aware of any actual attacks against the affected products related to this vulnerability at this time.
Mitigating Factors
Exploiting these types of vulnerabilities require that an attacker has access (physical or remote) to a vulnerable machine.
Even though an exploit may require several specific conditions to be met, Trend Micro strongly encourages customers to upgrade to the latest build as soon as possible.
Acknowledgement
Trend Micro would like to thank the following individuals and/or organizations for responsibly disclosing these issues and working with Trend Micro to help protect our customers:
- BlackWingCat coordinated through JPCERT
Additional Assistance
Customers who have questions are encouraged to contact Trend Micro Technical Support for further assistance.