DLL Hijack Vulnerability in Trend Micro Installation Packages
CVE-2019-14688

7HIGH

Key Information:

Vendor: Trend Micro
Status: Trend Micro Im Security (ims), Trend Micro Control Manager (tmcm), Trend Micro Officescan (osce), Trend Micro Endpoint Sensor (tmes), Trend Micro Security (consumer), Trend Micro Scanmail For Microsoft Exchange (smex), Trend Micro Serverprotect (sp), Trend Micro Mobile Security Enterprise (tmms Enterprise)
Vendor: CVE Published:; 20 February 2020

Summary

Trend Micro installation packages have been found to contain a DLL hijack vulnerability that is exploitable during the initial installation phase of various products. This issue occurs when an authorized user unknowingly runs the installer, allowing an attacker to require the download of a malicious DLL file on the user's local system. As a result, the compromised DLL could be executed, leading to potential unauthorized actions on the system. The vulnerability raises concerns about the security of software installations and the need for users to be vigilant during the setup process.

Affected Version(s)

Trend Micro IM Security (IMS), Trend Micro Control Manager (TMCM), Trend Micro OfficeScan (OSCE), Trend Micro Endpoint Sensor (TMES), Trend Micro Security (Consumer), Trend Micro ScanMail for Microsoft Exchange (SMEX), Trend Micro ServerProtect (SP), Trend Micro Mobile Security Enterprise (TMMS Enterprise) IMS 1.6.5, TMCM 7.0, OSCE XG, TMES 1.6, Trend Micro Security 2019, SMEX 14.0, SPNT 5.8/6.0, TMMS Enterprise 9.8

References

https://success.trendmicro.com/solution/1123562

x_refsource_MISC

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Feb 20, 2020
Vulnerability Reserved
Aug 5, 2019