CVE-2020-24560
📋 TL;DR
Trend Micro Security 2019 (v15) consumer products have an incomplete SSL server certificate validation vulnerability that allows attackers to potentially intercept and redirect update requests. This could lead to downloading malicious updates instead of legitimate ones. Affected users are those running vulnerable versions of Trend Micro consumer security software.
💻 Affected Systems
- Trend Micro Security 2019
- Trend Micro Internet Security 2019
- Trend Micro Maximum Security 2019
📦 What is this software?
Antivirus\+ 2019 by Trendmicro
Officescan Cloud by Trendmicro
⚠️ Risk & Real-World Impact
Worst Case
Attackers could deliver malicious updates that install malware, backdoors, or ransomware on affected systems, potentially leading to complete system compromise.
Likely Case
Attackers in a man-in-the-middle position could redirect update traffic to malicious servers, delivering compromised security updates that weaken system protection.
If Mitigated
With proper network segmentation and certificate validation, the attack requires privileged network access and specific conditions, reducing successful exploitation.
🎯 Exploit Status
Requires man-in-the-middle position and ability to intercept update traffic. Must be combined with other attack vectors for full exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 15.0.2179 and later
Vendor Advisory: https://helpcenter.trendmicro.com/en-us/article/TMKA-09890
Restart Required: Yes
Instructions:
1. Open Trend Micro Security 2019. 2. Click 'Check for Updates'. 3. Install available updates. 4. Restart computer if prompted. 5. Verify version is 15.0.2179 or higher.
🔧 Temporary Workarounds
Disable automatic updates temporarily
windowsPrevent automatic update checks until patched to avoid potential malicious update delivery
Open Trend Micro > Settings > Update > Uncheck 'Automatically download and install program updates'
Network segmentation
allIsolate vulnerable systems from untrusted networks to prevent man-in-the-middle attacks
🧯 If You Can't Patch
- Implement strict network controls to prevent man-in-the-middle attacks on update traffic
- Monitor for unusual update server connections or certificate validation failures
🔍 How to Verify
Check if Vulnerable:
Check Trend Micro version: Open Trend Micro > Help > About. If version is below 15.0.2179, system is vulnerable.Check Version:
Not applicable - check via GUI: Help > About in Trend Micro interfaceVerify Fix Applied:
Verify version is 15.0.2179 or higher in Help > About. Check that updates complete successfully.📡 Detection & Monitoring
Log Indicators:
- Failed SSL certificate validations from Trend Micro
- Update attempts to non-Trend Micro servers
- Unusual update package downloads
Network Indicators:
- SSL/TLS connections to non-Trend Micro update servers
- Man-in-the-middle activity on update traffic ports
SIEM Query:
source="trendmicro" AND (event_type="update_failure" OR certificate_validation="failed")🔗 References
- https://helpcenter.trendmicro.com/en-us/article/TMKA-09890
- https://helpcenter.trendmicro.com/ja-jp/article/TMKA-09673
- https://jvn.jp/en/jp/JVN60093979/
- https://jvn.jp/jp/JVN60093979/
- https://helpcenter.trendmicro.com/en-us/article/TMKA-09890
- https://helpcenter.trendmicro.com/ja-jp/article/TMKA-09673
- https://jvn.jp/en/jp/JVN60093979/
- https://jvn.jp/jp/JVN60093979/
