Release Date: August 19, 2020
CVE Identifier(s): CVE-2020-8602, CVE-2020-15601
CVSS 3.1 Score(s): 7.2 and 8.1
Severity Rating(s): High
Trend Micro has released new patches for Trend Micro Deep Security Manager and Trend Micro Vulnerability Protection. These patches resolve two security issues which, in certain circumstances, could impact the confidentiality, integrity and availability of the management console.
PRODUCT AFFECTED VERSION(S) PLATFORM LANGUAGE(S) Deep Security Manager* Version 12.0 Windows English Version 11.0 Windows English Version 10.0 Windows English Vulnerability Protection Version 2.0 SP2 Windows English
PRODUCT UPDATED VERSION Update Date PLATFORM AVAILABILITY Deep Security Manager Version 12.0 U11 August 19, 2020 Windows Now Available Version 11.0 U22 July 15, 2020 Windows Now Available Version 10.0 U27 August 7, 2020 Windows Now Available Vulnerability Protection Version 2.0 SP2 Patch7 CP5 August 12, 2020 Windows Now Available
CVE-2020-8602: Deep Security Manager and Vulnerability Protection Integrity Verification Bypass
CVSSv3.1: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
A vulnerability in the affected products' management console may allow an authenticated attacker with full control privileges to bypass file integrity checks, leading to remote code execution.
CVE-2020-15601: Deep Security Manager and Vulnerability Protection LDAP Authentication Bypass
CVSSv3.1: 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
If LDAP authentication is enabled, an unauthenticated attacker with prior knowledge of the targeted organization may be able to bypass manager authentication.
Enabling multi-factor authentication prevents this attack.
Installations using manager native authentication or SAML authentication are not impacted by this vulnerability.