CVE-2020-24560

Vulnerability

An incomplete SSL server certification validation vulnerability exists in the Active Update function of Trend Micro Security 2019 (v15) consumer products, including Premium Security, Maximum Security, Internet Security, and Antivirus+ for Windows [1][3][4]. The software does not properly verify the server certificate when communicating with the update server, corresponding to CWE-295 [3][4]. This affects all versions of the 2019 family (v15 and earlier) [1][3][4].

Exploitation

Exploitation requires an attacker to be in a network position capable of performing a man-in-the-middle (MITM) attack, such as by placing a malicious wireless LAN access point [1][3]. The attacker can then intercept the update request from an affected client and present a fraudulent update server certificate. By combining this certificate validation flaw with another vulnerability (CVE-2020-15604, improper update file verification), the attacker can serve a specially crafted malicious update file [1][3][4]. No user interaction beyond normal automatic update operations is necessary [1].

Impact

Successful exploitation allows the attacker to execute arbitrary code with SYSTEM privileges on the affected Windows system [1][3]. The impact is limited to integrity (the ability to deliver a forged update), but combined with the file verification failure it leads to full system compromise [1][3][4]. Trend Micro reported no active exploitation as of the disclosure date [2][4].

Mitigation

Trend Micro released fixes starting September 5, 2019, with version 16 (build 16.0.1405 or later) and version 17 (build 17.0.1150 or later) [2]. Users should upgrade to Trend Micro Security 2020 (v16) or 2021 (v17) to resolve the issue [2][4]. No workaround is available for v15; upgrading is required [2][4]. The product is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.