SECURITY BULLETIN: Memory Usage Vulnerability in Trend Micro Password Manager

  • Solution ID:1123595
  • Last Updated:Jan. 16, 2020 5:38 AM (PST)
  • Applies to:Password Manager - 3.8;
Release Date: January 16, 2020 
CVE Vulnerability Identifier: CVE-2019-15625
JVN Identifier (JPCERT): 49593434
Platform: Windows, macOS
CVSS 3.0 Score: 5.5 
Severity Rating: Medium

Summary

Trend Micro has released updated versions of Trend Micro Password Manager for Windows and macOS which resolve a memory usage vulnerability that if exploited, could allow an attacker try and extract information from a vulnerable system.

 

Affected versions
ProductAffected VersionsPlatformLanguage(s)
Password Manager 3.8.0.1103 and below Microsoft Windows English, Japanese
3.8.0.1052 and below macOS English, Japanese

 

Solution
ProductUpdated BuildPlatformLanguage(s)
Password Manager 5.0.1058 Microsoft Windows English, Japanese
5.0.1037 macOS English, Japanese

 

Trend Micro has addressed these vulnerabilities via a patch that is available now through the product’s automatic ActiveUpdate feature for all versions of Trend Micro Password Manager listed above.  Customers who have updated to the latest version of Password Manager (5.x) listed above are protected.

 

Vulnerability Details:

This patch includes mitigations for the following vulnerability:

  • CVE-2019-15625: A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.  The memory handling process of Password Manager has been enhanced to protect against these types of exploits.

Trend Micro has received no reports nor is aware of any actual attacks against the affected products related to this vulnerability at this time.

 

Mitigating Factors

Exploiting these types of vulnerabilities require that an attacker has access (physical or remote) to a vulnerable machine.

Even though an exploit may require several specific conditions to be met, Trend Micro strongly encourages customers to upgrade to the latest build as soon as possible.

 

Acknowledgement

Trend Micro would like to thank the following individuals and/or organizations for responsibly disclosing these issues and working with Trend Micro to help protect our customers:

  • BlackWingCat coordinated through JPCERT
Additional Assistance

Customers who have questions are encouraged to contact Trend Micro Technical Support for further assistance.