Details of VAR-202106-1670

ID

VAR-202106-1670

CVE

CVE-2021-32460

TITLE

Trend Micro Maximum Security Improper Access Control Privilege Escalation Vulnerability

Trust: 0.7

sources: ZDI: ZDI-21-603

DESCRIPTION

The Trend Micro Maximum Security 2021 (v17) consumer product is vulnerable to an improper access control vulnerability in the installer which could allow a local attacker to escalate privileges on a target machine. Please note than an attacker must already have local user privileges and access on the machine to exploit this vulnerability. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.The specific flaw exists within the Maximum Security console. The product sets incorrect permissions on a sensitive file. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 2.16

sources: NVD: CVE-2021-32460 // ZDI: ZDI-21-603 // CNNVD: CNNVD-202104-975 // VULMON: CVE-2021-32460

AFFECTED PRODUCTS

vendor:	trendmicro	model:	maximum security 2021	scope:	eq	version:	17.0	Trust: 1.0
vendor:	trend micro	model:	maximum security	scope:	-	version:	-	Trust: 0.7

sources: ZDI: ZDI-21-603 // NVD: CVE-2021-32460

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-32460
value:	HIGH
Trust: 1.0
ZDI:	CVE-2021-32460
value:	HIGH
Trust: 0.7
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202105-1350
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2021-32460
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0

nvd@nist.gov:	CVE-2021-32460
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0
ZDI:	CVE-2021-32460
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-21-603 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-1350 // NVD: CVE-2021-32460

PROBLEMTYPE DATA

problemtype:

CWE-732

Trust: 1.0

sources: NVD: CVE-2021-32460

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202105-1350

TYPE

other

Trust: 1.2

sources: CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-1350

PATCH

title:	Trend Micro has issued an update to correct this vulnerability.	url:	https://helpcenter.trendmicro.com/en-us/article/TMKA-10336	Trust: 0.7
title:	Maximum Security Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=152812	Trust: 0.6

sources: ZDI: ZDI-21-603 // CNNVD: CNNVD-202105-1350

EXTERNAL IDS

db:	NVD	id:	CVE-2021-32460	Trust: 2.4
db:	ZDI	id:	ZDI-21-603	Trust: 2.4
db:	ZDI_CAN	id:	ZDI-CAN-12346	Trust: 0.7
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	CS-HELP	id:	SB2021052108	Trust: 0.6
db:	CNNVD	id:	CNNVD-202105-1350	Trust: 0.6
db:	VULMON	id:	CVE-2021-32460	Trust: 0.1

sources: ZDI: ZDI-21-603 // VULMON: CVE-2021-32460 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-1350 // NVD: CVE-2021-32460

REFERENCES

url:	https://helpcenter.trendmicro.com/en-us/article/tmka-10336	Trust: 2.3
url:	https://www.zerodayinitiative.com/advisories/zdi-21-603/	Trust: 2.3
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021052108	Trust: 0.6

sources: ZDI: ZDI-21-603 // VULMON: CVE-2021-32460 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-1350 // NVD: CVE-2021-32460

CREDITS

Abdelhamid Naceri (halov)

Trust: 0.7

sources: ZDI: ZDI-21-603

SOURCES

db:	ZDI	id:	ZDI-21-603
db:	VULMON	id:	CVE-2021-32460
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202105-1350
db:	NVD	id:	CVE-2021-32460

LAST UPDATE DATE

2024-08-14T12:31:01.927000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-21-603	date:	2021-05-21T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202105-1350	date:	2021-06-16T00:00:00
db:	NVD	id:	CVE-2021-32460	date:	2022-06-28T14:11:45.273

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-21-603	date:	2021-05-21T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202105-1350	date:	2021-05-21T00:00:00
db:	NVD	id:	CVE-2021-32460	date:	2021-06-03T15:15:07.867