CVE-2021-28647
📋 TL;DR
Trend Micro Password Manager 5 (Consumer) has a DLL hijacking vulnerability during installation that allows attackers to place malicious DLLs in installation directories. When users install programs, the vulnerable software loads these malicious DLLs instead of legitimate ones, enabling arbitrary code execution. This affects all users of Trend Micro Password Manager version 5 (Consumer) who install software on their systems.
💻 Affected Systems
- Trend Micro Password Manager (Consumer)
📦 What is this software?
Password Manager by Trendmicro
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining persistent access, stealing all stored passwords, and installing additional malware or ransomware.
Likely Case
Local privilege escalation leading to credential theft from the password manager and potential lateral movement within the network.
If Mitigated
Limited impact with proper endpoint protection detecting malicious DLLs and restricting installation privileges.
🎯 Exploit Status
Requires local access to place malicious DLLs in installation directories. Social engineering could trick users into installing malicious software.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 5.0.0.1267 or later
Vendor Advisory: https://helpcenter.trendmicro.com/en-us/article/TMKA-10282
Restart Required: Yes
Instructions:
1. Open Trend Micro Password Manager. 2. Go to Settings > About. 3. Check current version. 4. If below 5.0.0.1267, download latest version from Trend Micro website. 5. Run installer and follow prompts. 6. Restart computer after installation.
🔧 Temporary Workarounds
Restrict installation privileges
windowsLimit user permissions to prevent unauthorized software installation and DLL placement.
Use Group Policy to restrict standard user installation rights
Monitor DLL loading
windowsConfigure endpoint protection to monitor and block suspicious DLL loading during installations.
Configure Windows Defender Application Control or third-party EDR
🧯 If You Can't Patch
- Uninstall Trend Micro Password Manager 5 and use alternative password management solutions
- Implement strict application whitelisting to prevent unauthorized software installation
🔍 How to Verify
Check if Vulnerable:
Check Trend Micro Password Manager version in Settings > About. If version is below 5.0.0.1267, system is vulnerable.Check Version:
Check program version in Windows Add/Remove Programs or via Settings > About in the applicationVerify Fix Applied:
Verify version is 5.0.0.1267 or higher in Settings > About. Test installation of legitimate software to ensure no unexpected DLL loading.📡 Detection & Monitoring
Log Indicators:
- Unexpected DLL loading events during software installation
- Process creation from installation directories with suspicious parent processes
Network Indicators:
- Outbound connections from password manager process to unknown IPs
- DNS requests for suspicious domains after software installation
SIEM Query:
EventID=4688 AND (ProcessName LIKE '%install%' OR ProcessName LIKE '%setup%') AND (NewProcessName LIKE '%.dll' OR CommandLine LIKE '%.dll%')