CVE-2020-27695
https://notcve.org/view.php?id=CVE-2020-27695
Trend Micro Security 2020 (Consumer) contains a vulnerability in the installer package that could be exploited by placing a malicious DLL in a local directory which can lead to obtaining administrative privileges during the installation of the product. Trend Micro Security 2020 (Consumer), contiene una vulnerabilidad en el paquete de instalación que podría ser explotada al colocar una DLL maliciosa en un directorio local que puede conllevar a una obtención de privilegios administrativos durante la instalación del producto • https://helpcenter.trendmicro.com/en-us/article/TMKA-10036 • CWE-426: Untrusted Search Path •
CVE-2020-27696
https://notcve.org/view.php?id=CVE-2020-27696
Trend Micro Security 2020 (Consumer) contains a vulnerability in the installer package that could be exploited by placing a specific Windows system directory which can lead to obtaining administrative privileges during the installation of the product. Trend Micro Security 2020 (Consumer) contiene una vulnerabilidad en el paquete de instalación que podría ser explotada al colocar un directorio de sistema de Windows específico que puede conllevar a una obtención de privilegios administrativos durante la instalación del producto • https://helpcenter.trendmicro.com/en-us/article/TMKA-10036 •
CVE-2020-25775 – Trend Micro Maximum Security Race Condition Arbitrary File Deletion Vulnerability
https://notcve.org/view.php?id=CVE-2020-25775
The Trend Micro Security 2020 (v16) consumer family of products is vulnerable to a security race condition arbitrary file deletion vulnerability that could allow an unprivileged user to manipulate the product's secure erase feature to delete files with a higher set of privileges. La familia de productos de consumo Trend Micro Security 2020 (versión v16), es susceptible a una vulnerabilidad de eliminación de archivos arbitraria de una condición de carrera de seguridad que podría permitir a un usuario poco privilegiado manipular la funcionalidad de borrado seguro del producto para eliminar archivos con un mayor conjunto de privilegios This vulnerability allows local attackers to delete arbitrary files on affected installations of Trend Micro Maximum Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the implementation of the Secure Erase feature. The issue results from the lack of proper validation of a user-supplied link prior to using it in file operations. An attacker can leverage this vulnerability to delete files in the context of SYSTEM. • https://helpcenter.trendmicro.com/en-us/article/TMKA-09909 https://www.zerodayinitiative.com/advisories/ZDI-20-1227 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2020-24560
https://notcve.org/view.php?id=CVE-2020-24560
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CWE-295: Improper server certificate verification in the communication with the update server. Una vulnerabilidad de comprobación de certificación de servidor SSL incompleta en la familia de productos de consumidor Trend Micro Security 2019 versión (v15), podría permitir a un atacante combinar esta vulnerabilidad con otro ataque para engañar a un cliente afectado para que descargue una actualización maliciosa en lugar de la esperada. CWE-295: Comprobación inapropiada del certificado del servidor en la comunicación con el servidor de actualización. • https://helpcenter.trendmicro.com/en-us/article/TMKA-09890 https://helpcenter.trendmicro.com/ja-jp/article/TMKA-09673 https://jvn.jp/en/jp/JVN60093979 https://jvn.jp/jp/JVN60093979 • CWE-295: Improper Certificate Validation •
CVE-2020-15604
https://notcve.org/view.php?id=CVE-2020-15604
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CWE-494: Update files are not properly verified. Una vulnerabilidad de comprobación de certificación de servidor SSL incompleta en la familia de productos de consumo Trend Micro Security 2019 versión (v15), podría permitir a un atacante combinar esta vulnerabilidad con otro ataque para engañar a un cliente afectado para que descargue una actualización maliciosa en lugar de la prevista. CWE-494: Los archivos de actualización no se comprobaron apropiadamente. • https://helpcenter.trendmicro.com/en-us/article/TMKA-09890 https://helpcenter.trendmicro.com/ja-jp/article/TMKA-09673 https://jvn.jp/en/jp/JVN60093979 https://jvn.jp/jp/JVN60093979 • CWE-295: Improper Certificate Validation CWE-494: Download of Code Without Integrity Check •