Privilege Escalation Vulnerability Discovered in Trend Micro Password Manager.

Trend Micro password manager Vulnerability

Peleg Hadar, a security researcher at safe breach Labs has discovered a vulnerability in the Trend Micro Password Manager software.

About Trend Micro Password Manager

Trend Micro Password Manger is a standalone software that helps manage website passwords and login IDs in one secure location.

Trend Micro Password Manager’s Vulnerability

Trend Micro Password Manager Central Control service (Pvmsvc.exe) runs as NT AUTHORITY\SYSTEM which is the most privileged account and might be exposed to a user-to-SYSTEM privilege escalation if attacked.

A potential attacker can use this service as a persistence mechanism because it automatically starts once the computer boots.

The executable of the “PwmSvc.exe” is signed by Trend Micro hence if an attacker finds a way to execute code withing this process, it can be used as an application whitelisting bypass.

How Attackers can Leverage on Trend Micro’s Vulnerability

  1.  Signed Execution and Whitelisting Bypass: This gives an attacker the ability to load and execute malicious service using a signed service(PwmSvc.exe).
  2. Privilege Escalation: An attacker may have limited privilege after gaining access to a computer but the service(PwmSvc.exe) provides him the ability to operate as a powerful user in windows.This enables him to access almost all files and processes which belong to the affected user on the computer.
  3. Persistence Mechanism: If an attacker drops a malicious DLL in a vulnerable path, the service will load the malicious code each time it is restarted.This is because,the vulnerability gives an attacker the ability to execute malicious payloads in a persistent way each time the service is being loaded.

Affected Versions

  1.  Trend Micro Maximum Security / Password Manager
  2. Trend Micro Password Manager Service (PwmSvc.exe) –
  3. Tmwlutil.dll

Vulnerability Patch for Trend Micro

Patches were released on August 14, 2019.The vulnerabilities were given a CVSS 3.0 score of 4.3 which makes it a medium severity vulnerability.

This patch includes mitigation for the following vulnerabilities

  1. CVE-2019-14684: A DLL hijacking vulnerability exists in Trend Micro Password Manager 5.0 in which, if exploited, would allow an attacker to load an arbitrary unsigned DLL into the signed service’s process.
  2. CVE-2019-14687:  A separate, but similar DLL hijacking vulnerability exists in Trend Micro Password Manager 5.0, utilizing a separate DLL.

According to the bulletin released by Trend Micro Password manger, “Trend Micro has received no reports nor is aware of any actual attacks against the affected products related to this vulnerability at this time” .Trend Micro strongly encourages customers to upgrade to the latest build as soon as possible.

0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments
How To Secure Your Wireless Access Point (WAP)
Wireless Access Point

How To Secure Your Wireless Access Point (WAP)

In recent years, smart home virtual assistants have come into wide use

Credential Stuffing
What is credential Stuffing?

Credential Stuffing

Credential stuffing is a type of attack where stolen account credentials which

You May Also Like
Would love your thoughts, please comment.x