CVE-2020-25778

Vulnerability

The vulnerability resides in the KERedirect kernel extension (kext) of Trend Micro Antivirus for Mac 2020 (v10.x) and 2019 (v9.x). The specific flaw arises because an error message generated by the kext includes sensitive information, allowing an attacker who has already achieved high-privileged execution to supply a kernel pointer and leak several bytes of kernel memory [1][2].

Exploitation

To exploit this issue, an attacker must first obtain the ability to execute high-privileged code (root or kernel-level) on the target system. With that access, the attacker can trigger the error condition within the KERedirect kext, causing it to include a kernel pointer in an error message. The attacker can then read that message, extracting the leaked kernel memory [1]. No network position or additional user interaction is required beyond the initial privilege escalation [2].

Impact

Successful exploitation results in information disclosure of kernel memory contents. This data leak can reveal sensitive kernel structures or pointers, which an attacker can leverage in conjunction with other vulnerabilities to escalate privileges further or execute arbitrary code in the context of the kernel [1]. The CVSS score is 6.0 (medium severity) with high confidentiality impact, no integrity or availability impact, and a scope change [1].

Mitigation

Trend Micro addressed the vulnerability through an automatic ActiveUpdate patch for the Antivirus for Mac 2020 (v10.x) family, released on October 13, 2020. Customers running version 10.x receive the fix automatically; those on version 9.x are recommended to upgrade to version 10.x to obtain the patch. No workarounds are documented, and Trend Micro reports no evidence of active exploitation [2].