CVE-2019-14685 – This CVE describes a local privilege escalation... (How to Fix)

Q: What is the severity of CVE-2019-14685?

CVE-2019-14685 has a CVSS score of 7.8 (HIGH). This CVE describes a local privilege escalation vulnerability in Trend Micro Security 2019 where an attacker can manipulate an unquoted service path to load a malicious service with SYSTEM privileges. It affects users running Trend Micro Security 2019 version 15.0 on Windows systems. The vulnerability allows authenticated local users to escalate privileges to SYSTEM level.

📋 TL;DR

This CVE describes a local privilege escalation vulnerability in Trend Micro Security 2019 where an attacker can manipulate an unquoted service path to load a malicious service with SYSTEM privileges. It affects users running Trend Micro Security 2019 version 15.0 on Windows systems. The vulnerability allows authenticated local users to escalate privileges to SYSTEM level.

💻 Affected Systems

Products:

Trend Micro Maximum Security 2019
Trend Micro Security 2019

Versions: Version 15.0

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires local authenticated access to the Windows system. The vulnerability is in how the Trend Micro service handles unquoted paths in service execution.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker gains full SYSTEM privileges on the Windows machine, enabling complete system compromise, data theft, persistence mechanisms, and lateral movement capabilities.

🟠

Likely Case

Malicious insider or malware with user-level access escalates to SYSTEM privileges to disable security software, install backdoors, or access protected system resources.

🟢

If Mitigated

With proper endpoint protection and least privilege principles, the impact is limited to isolated systems with no lateral movement capabilities.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring authenticated access to the system.

🏢 Internal Only: HIGH - Internal attackers or malware with user access can exploit this to gain full system control.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Multiple public proof-of-concept exploits exist. Exploitation requires local authenticated access but is straightforward once that access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patched in later versions (beyond 15.0)

Vendor Advisory: https://esupport.trendmicro.com/en-us/home/pages/technical-support/1123420.aspx

Restart Required: Yes

Instructions:

1. Open Trend Micro Security 2019. 2. Click 'Check for Updates'. 3. Install all available updates. 4. Restart the computer when prompted.

🔧 Temporary Workarounds

Manual service path quoting

windows

Manually modify the Trend Micro service to use quoted paths in the Windows Registry

reg add "HKLM\SYSTEM\CurrentControlSet\Services\TmFilter" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe\"" /f

Restrict service permissions

windows

Modify service permissions to prevent unauthorized users from manipulating service configurations

sc sdset TmFilter D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)

🧯 If You Can't Patch

Implement strict least privilege principles - ensure no users have unnecessary local administrative rights
Deploy application whitelisting to prevent execution of unauthorized binaries in system directories

🔍 How to Verify

Check if Vulnerable:

Check Trend Micro Security version: Open the application and verify if version is 15.0. Check Windows Services for unquoted paths in Trend Micro services using: sc qc TmFilter

Check Version:

Open Trend Micro Security 2019 GUI or check registry: reg query "HKLM\SOFTWARE\TrendMicro\AMSP" /v Version

Verify Fix Applied:

Verify Trend Micro version is updated beyond 15.0. Check that service paths are properly quoted in registry: reg query "HKLM\SYSTEM\CurrentControlSet\Services\TmFilter" /v ImagePath

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs showing unauthorized service modifications (Event ID 7045)
Trend Micro logs showing service restart failures
Security logs showing privilege escalation attempts

Network Indicators:

Unusual outbound connections from SYSTEM context after local user login
Unexpected service control protocol traffic

SIEM Query:

source="Windows Security" EventID=4688 NewProcessName="*\system32\*" ParentProcessName="*Trend Micro*" OR source="Windows System" EventID=7045 ServiceName="TmFilter"

📊 Metadata

CVE ID: CVE-2019-14685

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-428

Published: August 21, 2019

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/154200/Trend-Maximum-Security-2019-Unquoted-Search-Path.html Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2019/Aug/26 Mailing List,Third Party Advisory
https://esupport.trendmicro.com/en-us/home/pages/technical-support/1123420.aspx Vendor Advisory
https://medium.com/sidechannel-br/vulnerabilidade-no-trend-micro-maximum-security-2019-permite-a-escala%C3%A7%C3%A3o-de-privil%C3%A9gios-no-windows-471403d53b68 Third Party Advisory
http://packetstormsecurity.com/files/154200/Trend-Maximum-Security-2019-Unquoted-Search-Path.html Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2019/Aug/26 Mailing List,Third Party Advisory
https://esupport.trendmicro.com/en-us/home/pages/technical-support/1123420.aspx Vendor Advisory
https://medium.com/sidechannel-br/vulnerabilidade-no-trend-micro-maximum-security-2019-permite-a-escala%C3%A7%C3%A3o-de-privil%C3%A9gios-no-windows-471403d53b68 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-14685, you might also want to check these: