Integer overflow in Password Manager for Windows

#VU54422 Integer overflow in Password Manager for Windows

Published: 2021-06-28 | Updated: 2021-07-05

Vulnerability identifier: #VU54422

Vulnerability risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-32461

CWE-ID: CWE-190

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Password Manager for Windows
Client/Desktop applications / Other client software

Vendor: Trend Micro

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to integer truncation vulnerability. A local user can trigger buffer overflow and execute arbitrary code with elevated privileges.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Password Manager for Windows: 3.8.0.1103 - 5.0.1058

External links
http://helpcenter.trendmicro.com/en-us/article/TMKA-10388
http://www.zerodayinitiative.com/advisories/ZDI-21-773/

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Trend Micro Password Manager for Windows