Vulnerabilities in Trend Micro Home Network Security systems discovered by security researchers with Cisco’s Talos unit may be exploited to elevate privileges or achieve arbitrary authentication.
Users can track and secure their networks with the Home Network Security station, which includes vulnerability scanning, intrusion prevention, threat protection, and device-based access control.
Three security flaws were discovered in these devices, including two stack buffer overflows with CVSS scores of 7.8 (CVE-2021-32457 and CVE-2021-32458) and one CVSS score of 4.9 for a hardcoded password question (CVE-2021-32459).
The first two flaws are ioctl stack-based buffer overflows, which an attacker might take advantage of by sending specially designed ioctl requests. Both vulnerabilities result in privilege escalation, but the attacker must first be able to execute low-privileged code on the computer.
Researchers from Talos also discovered a hardcoded password weakness in Trend Micro Home Network Security’s log collection server feature, which could be exploited for arbitrary authentication by sending a specially designed network request.
The fact that an attacker must first obtain the ability to execute high-privileged code on the compromised computer before being able to exploit the flaw is a mitigating factor.
“At this time, Trend Micro has received no reports of actual attacks against the affected product due to this vulnerability,” the company says.
Versions 6.6.604 and earlier of Trend Micro Home Network Security are affected. Trend Micro has already released software updates to correct the bugs, which should be available via the automatic firmware update process on compatible devices.