SECURITY BULLETIN: Memory Usage Vulnerability in Trend Micro Password Manager
CVE Vulnerability Identifier: CVE-2019-15625
JVN Identifier (JPCERT): 49593434
Platform: Windows, macOS
CVSS 3.0 Score: 5.5
Severity Rating: Medium
Trend Micro has released updated versions of Trend Micro Password Manager for Windows and macOS which resolve a memory usage vulnerability that if exploited, could allow an attacker try and extract information from a vulnerable system.
|Password Manager||22.214.171.1243 and below||Microsoft Windows||English, Japanese|
|126.96.36.1992 and below||macOS||English, Japanese|
|Password Manager||5.0.1058||Microsoft Windows||English, Japanese|
Trend Micro has addressed these vulnerabilities via a patch that is available now through the product’s automatic ActiveUpdate feature for all versions of Trend Micro Password Manager listed above. Customers who have updated to the latest version of Password Manager (5.x) listed above are protected.
This patch includes mitigations for the following vulnerability:
- CVE-2019-15625: A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information. The memory handling process of Password Manager has been enhanced to protect against these types of exploits.
Trend Micro has received no reports nor is aware of any actual attacks against the affected products related to this vulnerability at this time.
Exploiting these types of vulnerabilities require that an attacker has access (physical or remote) to a vulnerable machine.
Even though an exploit may require several specific conditions to be met, Trend Micro strongly encourages customers to upgrade to the latest build as soon as possible.
Trend Micro would like to thank the following individuals and/or organizations for responsibly disclosing these issues and working with Trend Micro to help protect our customers:
- BlackWingCat coordinated through JPCERT
Customers who have questions are encouraged to contact Trend Micro Technical Support for further assistance.