Trend Micro fixes privilege escalation security flaw in Password Manager

The vulnerability could be used for privilege escalation and code execution attacks.
Written by Charlie Osborne, Contributing Writer

Trend Micro has issued a fix to resolve a vulnerability found in the cybersecurity firm's password manager software that could lead to DLL hijacking, privilege escalation, and code execution attacks. 

The vulnerability's existence was made public on Wednesday. In a security advisory published by SafeBreach Labs, the researchers said the bug, tracked as CVE-2019-14684, impacts Trend Micro Password Manager 5.0, a standalone security product used to store and secure passwords for online accounts.  

Trend Micro's Premium Security and Maximum Security software version 15 are also affected as they include Password Manager as an inbuilt feature. 

According to SafeBreach Labs, the security flaw was found after the team targeted the "Trend Micro Password Manager Central Control Service," also known as PwmSvc.exe, as the core service runs via the Windows NT AUTHORITY\SYSTEM, a process with high permission levels. 

See also: Cloud Atlas threat group updates weaponry with polymorphic malware

"The executable of the service is signed by Trend Micro and if the hacker finds a way to execute code within this process, it can be used as an application whitelisting bypass," the researchers say. "This service automatically starts once the computer boots, which means that it's a potential target for an attacker to be used as a persistence mechanism."

This is exactly what was achieved during the team's investigation.  

Once the executable is loaded, the Trend Micro White List Module, tmwlutil.dll, is loaded, but a missing DLL file meant the system eventually connected to the c:\python27 directory instead. However, a lack of safe DLL loading controls meant this pathway could be exploited. 

If an attacker has access to the vulnerable machine, they can tamper with access control lists (ACL) and permit crafted and unsigned DLLs to be signed by Trend Micro through NT AUTHORITY\SYSTEM.

In turn, this can lead to privilege escalation attacks, code execution, and whitelist bypass. 

CNET: US sets up new task force to fight Russian election interference

"After an attacker gains access to a computer, he might have limited privileges which can limit his operations to access certain files and data," SafeBreach Labs says. "The service provides him with the ability to operate as NT AUTHORITY\SYSTEM which is the most powerful user in Windows, so he can access almost every file and process which belongs to the user on the computer."

The vulnerability was disclosed to Trend Micro on July 23, 2019. The cybersecurity firm responded a day later, leading to a patch being developed for the software by July 31. 

Trend Micro released a security bulletin describing the security flaw on August 14. Within the advisory, the cybersecurity firm also noted that CVE-2019-14687 has been patched; a similar DLL hijacking bug which impacts a separate DLL to the initial report. 

TechRepublic: Android Q: Cheat sheet

Both of the vulnerabilities have been resolved in Password Manager version While physical access to a machine is required to trigger an exploit chain, given the consequences of privilege escalation at a high Windows permission level, it is recommended that users update their software.

"Even though an exploit may require several specific conditions to be met, Trend Micro strongly encourages customers to upgrade to the latest build as soon as possible," the firm added.

Trend Micro says there have been no reports of these vulnerabilities being exploited in the wild. 

North Korea's history of bold cyber attacks

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards