CVE-2019-14688

Published: Feb 20, 2020Modified: Nov 21, 2024

7.0

Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.0 / Impact: 5.9

Source: NVD

Description

Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial product installation by an authorized user. The attacker must convince the target to download malicious DLL locally which must be present when the installer is run.

Affected (11)

Products: Trendmicro: Control Manager, Endpoint Sensor, Im Security, Mobile Security, Officescan, Scanmail, Security, Serverprotect

8 products

Configuration A

11 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Trendmicro Control Manager	Version 7.0
Trendmicro Endpoint Sensor	Version 1.6
Trendmicro Im Security	Version 1.6.5
Trendmicro Mobile Security	Version 9.8
Trendmicro Officescan	Version xg
Trendmicro Scanmail	Version 14.0
Trendmicro Security	Version 2019
Trendmicro Serverprotect	Version 5.8
Trendmicro Serverprotect	Version 5.8
Trendmicro Serverprotect	Version 5.8
Trendmicro Serverprotect	Version 6.0

Running on/with	Platform Versions
Microsoft Windows	All versions

Related CWEs

CWE-427

Uncontrolled Search Path Element

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

References (2)

https://success.trendmicro.com/solution/1123562

Source: security@trendmicro.com

Vendor Advisory

https://success.trendmicro.com/solution/1123562

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.