CVE-2017-5565 : Code injection vulnerability in Trend Micro Maximum Security 11.0 (and earlier),

Code injection vulnerability in Trend Micro Maximum Security 11.0 (and earlier), Internet Security 11.0 (and earlier), and Antivirus+ Security 11.0 (and earlier) allows a local attacker to bypass a self-protection mechanism, inject arbitrary code, and take full control of any Trend Micro process via a "DoubleAgent" attack. One perspective on this issue is that (1) these products do not use the Protected Processes feature, and therefore an attacker can enter an arbitrary Application Verifier Provider DLL under Image File Execution Options in the registry; (2) the self-protection mechanism is intended to block all local processes (regardless of privileges) from modifying Image File Execution Options for these products; and (3) this mechanism can be bypassed by an attacker who temporarily renames Image File Execution Options during the attack.

Published 2017-03-21 16:59:00

Updated 2019-10-03 00:03:26

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2017-5565

Trendmicro » Internet Security
Versions up to, including, (<=) 11.1.1005
cpe:2.3:a:trendmicro:internet_security:*:*:*:*:*:*:*:*
Matching versions
Trendmicro » Antivirus+
Versions up to, including, (<=) 11.1.1005
cpe:2.3:a:trendmicro:antivirus\+:*:*:*:*:*:*:*:*
Matching versions
Trendmicro » Premium Security
Versions up to, including, (<=) 11.1.1005
cpe:2.3:a:trendmicro:premium_security:*:*:*:*:*:*:*:*
Matching versions
Trendmicro » Maximum Security
Versions up to, including, (<=) 11.1.1005
cpe:2.3:a:trendmicro:maximum_security:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2017-5565

EPSS FAQ

0.13%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 29 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2017-5565

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.2	HIGH	AV:L/AC:L/Au:N/C:C/I:C/A:C	3.9	10.0	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
6.7	MEDIUM	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	0.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2017-5565

CWE-427 Uncontrolled Search Path Element

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2017-5565

http://cybellum.com/doubleagent-taking-full-control-antivirus/

DoubleAgent: Taking Full Control Over Your Antivirus | Cybellum
Third Party Advisory

CVEs referencing this url
http://www.securityfocus.com/bid/97031

Multiple Trend Micro Products CVE-2017-5565 DLL Loading Local Code Injection Vulnerability
Third Party Advisory;VDB Entry
https://success.trendmicro.com/solution/1116957

Apply Hot Fix Build 1403 to resolve CVE-2017-5565
Vendor Advisory
http://www.securitytracker.com/id/1038206

Trend Micro Internet Security Application Verifier Provider DLL Protection Flaw Lets Local Users Bypass Anti-Virus Protections and Gain Elevated Privileges - SecurityTracker
http://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/

DoubleAgent: Zero-Day Code Injection and Persistence Technique | Cybellum
Technical Description;Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2017-5565

Products affected by CVE-2017-5565

Exploit prediction scoring system (EPSS) score for CVE-2017-5565

CVSS scores for CVE-2017-5565

CWE ids for CVE-2017-5565

References for CVE-2017-5565