Multiple vulnerabilities in Trend Micro Password Manager for Windows

Published: 2021-06-28 | Updated: 2021-07-05

Risk	High
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2021-32461 CVE-2021-32462
CWE-ID	CWE-190 CWE-749
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	Password Manager for Windows Client/Desktop applications / Other client software
Vendor	Trend Micro

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Integer overflow

EUVDB-ID: #VU54422

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-32461

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to integer truncation vulnerability. A local user can trigger buffer overflow and execute arbitrary code with elevated privileges.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Password Manager for Windows: 3.8.0.1103 - 5.0.1058

External links

http://helpcenter.trendmicro.com/en-us/article/TMKA-10388
http://www.zerodayinitiative.com/advisories/ZDI-21-773/

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Exposed dangerous method or function

EUVDB-ID: #VU54423

Risk: High

CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-32462

CWE-ID: CWE-749 - Exposed Dangerous Method or Function