Lucene search

[email protected]NVD:CVE-2020-24560

HistorySep 24, 2020 - 2:15 a.m.

CVE-2020-24560

2020-09-2402:15:12

CWE-295

[email protected]

web.nvd.nist.gov

ssl validation

trend micro security

malicious updates

cwe-295

update server

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.003

Percentile

66.6%

JSON

An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CWE-295: Improper server certificate verification in the communication with the update server.

Affected configurations

Nvd

Node

microsoftwindowsMatch-

AND

trendmicroantivirus\+_2019Range≤15.0

trendmicrointernet_security_2019Range≤15.0

trendmicromaximum_security_2019Range≤15.0

trendmicroofficescan_cloudMatch15

trendmicropremium_security_2019Range≤15.0

VendorProductVersionCPE
microsoftwindows-cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
trendmicroantivirus\+_2019*cpe:2.3:a:trendmicro:antivirus\+_2019:*:*:*:*:*:*:*:*
trendmicrointernet_security_2019*cpe:2.3:a:trendmicro:internet_security_2019:*:*:*:*:*:*:*:*
trendmicromaximum_security_2019*cpe:2.3:a:trendmicro:maximum_security_2019:*:*:*:*:*:*:*:*
trendmicroofficescan_cloud15cpe:2.3:a:trendmicro:officescan_cloud:15:*:*:*:*:*:*:*
trendmicropremium_security_2019*cpe:2.3:a:trendmicro:premium_security_2019:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
microsoft	windows	-	cpe:2.3:o:microsoft:windows:-:::::::*
trendmicro	antivirus\+_2019	*	cpe:2.3:a:trendmicro:antivirus\+_2019::::::::
trendmicro	internet_security_2019	*	cpe:2.3:a:trendmicro:internet_security_2019::::::::
trendmicro	maximum_security_2019	*	cpe:2.3:a:trendmicro:maximum_security_2019::::::::
trendmicro	officescan_cloud	15	cpe:2.3:a:trendmicro:officescan_cloud:15:::::::*
trendmicro	premium_security_2019	*	cpe:2.3:a:trendmicro:premium_security_2019::::::::

References

helpcenter.trendmicro.com/en-us/article/TMKA-09890

helpcenter.trendmicro.com/ja-jp/article/TMKA-09673

jvn.jp/en/jp/JVN60093979/

jvn.jp/jp/JVN60093979/

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.003

Percentile

66.6%

JSON

Related for NVD:CVE-2020-24560

prion1 cve1 cvelist1 jvn1