Peleg Hadar, a security researcher at safe breach Labs has discovered a vulnerability in the Trend Micro Password Manager software.
About Trend Micro Password Manager
Trend Micro Password Manger is a standalone software that helps manage website passwords and login IDs in one secure location.
Trend Micro Password Manager’s Vulnerability
Trend Micro Password Manager Central Control service (Pvmsvc.exe) runs as NT AUTHORITY\SYSTEM which is the most privileged account and might be exposed to a user-to-SYSTEM privilege escalation if attacked.
A potential attacker can use this service as a persistence mechanism because it automatically starts once the computer boots.
The executable of the “PwmSvc.exe” is signed by Trend Micro hence if an attacker finds a way to execute code withing this process, it can be used as an application whitelisting bypass.
How Attackers can Leverage on Trend Micro’s Vulnerability
- Signed Execution and Whitelisting Bypass: This gives an attacker the ability to load and execute malicious service using a signed service(PwmSvc.exe).
- Privilege Escalation: An attacker may have limited privilege after gaining access to a computer but the service(PwmSvc.exe) provides him the ability to operate as a powerful user in windows.This enables him to access almost all files and processes which belong to the affected user on the computer.
- Persistence Mechanism: If an attacker drops a malicious DLL in a vulnerable path, the service will load the malicious code each time it is restarted.This is because,the vulnerability gives an attacker the ability to execute malicious payloads in a persistent way each time the service is being loaded.
- Trend Micro Maximum Security / Password Manager 18.104.22.1689
- Trend Micro Password Manager Service (PwmSvc.exe) – 22.214.171.1249
- Tmwlutil.dll 126.96.36.1991
Vulnerability Patch for Trend Micro
Patches were released on August 14, 2019.The vulnerabilities were given a CVSS 3.0 score of 4.3 which makes it a medium severity vulnerability.
This patch includes mitigation for the following vulnerabilities
- CVE-2019-14684: A DLL hijacking vulnerability exists in Trend Micro Password Manager 5.0 in which, if exploited, would allow an attacker to load an arbitrary unsigned DLL into the signed service’s process.
- CVE-2019-14687: A separate, but similar DLL hijacking vulnerability exists in Trend Micro Password Manager 5.0, utilizing a separate DLL.
According to the bulletin released by Trend Micro Password manger, “Trend Micro has received no reports nor is aware of any actual attacks against the affected products related to this vulnerability at this time” .Trend Micro strongly encourages customers to upgrade to the latest build as soon as possible.