CVE-2020-25776

Vulnerability

Trend Micro Antivirus for Mac versions 2020 (v10.x) and 2019 (v9.x) contain a symbolic link privilege escalation vulnerability within the iTISPlugin module [1], [2]. An attacker who has already obtained the ability to execute low-privileged code on the target system can create a malicious symbolic link that abuses the product to loosen permissions on a local file [1]. This flaw affects consumer editions of the product on macOS [2].

Exploitation

To exploit this vulnerability, an attacker must first have the ability to execute low-privileged code on the target system [1], [2]. No user interaction is required beyond the initial code execution. The attacker creates a symbolic link to a critical system file, and when the Trend Micro Antivirus software accesses that link, it inadvertently changes the file’s permissions in a way that grants the attacker further access [1]. The specific flaw resides in the iTISPlugin module [1].

Impact

Successful exploitation allows a local attacker to escalate their privileges to root [1]. This gives the attacker full control over the affected system, including the ability to read, modify, or delete any file, install software, and create new user accounts with administrative rights [1]. The CVSS v3 base score is 7.8, with the vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [1], [2].

Mitigation

Trend Micro has released a patch for version 2020 (v10.x) via the product's automatic ActiveUpdate feature [2]. Customers running version 2020 who have at least version 10.0 will already have the necessary patch applied [2]. Users on version 2019 (v9.x) or older are recommended to upgrade to the latest version (10.x) [2]. At the time of disclosure, no public reports of active exploitation were known [2].