SB2021042621 - Multiple vulnerabilities in Trend Micro HouseCall for Home Networks

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Incorrect Privilege Assignment (CVE-ID: CVE-2021-28649)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect permissions set on product folders created by the installer, which leads to security restrictions bypass and privilege escalation.

2) Incorrect Privilege Assignment (CVE-ID: CVE-2021-31519)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect permissions set on product folders created by the installer, which leads to security restrictions bypass and privilege escalation.

Remediation

Install update from vendor's website.

References

• https://www.zerodayinitiative.com/advisories/ZDI-21-474/
• https://helpcenter.trendmicro.com/en-us/article/TMKA-10310
• https://www.zerodayinitiative.com/advisories/ZDI-21-475/