Researchers at SafeBreach have disclosed vulnerabilities in a popular password manager that could if the circumstances are right, enable a privilege escalation attack by a malicious actor.
That alone is headline-worthy when the product with the vulnerability is a password manager; the headline hurt doesn't stop there though.
The researchers also revealed that the Trend Micro Password Manager bug could allow the attacker to gain persistence on the system. That's because the Trend Micro Password Manager Central Control Service (PwmSvc.exe) runs as the most privileged of Windows user accounts, NT Authority\System.
"This kind of service might be exposed to a user-to-system privilege escalation, which is very useful and powerful to an attacker," Peleg Hadar, a security researcher at SafeBreach Labs, said. Things get even stickier for the user when it becomes apparent that the executable of the service is signed by Trend Micro. If an attacker finds a way to execute code within this process, "it can be used as an application whitelisting bypass," Hadar noted, adding "this service automatically starts once the computer boots, which means that it’s a potential target for an attacker to be used as a persistence mechanism."
As well as being a standalone password manager, Trend Micro Password Manager is deployed as part of the Trend Micro Maximum Security product. "There are two root causes for the vulnerability," Hadar wrote, "the lack of safe DLL loading," and "no digital certificate validation is made against the binary." Add them together, and there is the potential for an attacker to load and execute malicious payloads using a trusted, signed, service.
The researchers reported the bugs to Trend Micro on July 23, and a patch was released to fix them on July 31. On August 14, Trend Micro issued a security bulletin confirming that it had addressed these vulnerabilities "via a patch that is available now through the product’s automatic ActiveUpdate feature."
"Trend Micro has received no reports nor is aware of any actual attacks against the affected products related to this vulnerability at this time," the statement continues, adding "exploiting these types of vulnerabilities require that an attacker has access (physical or remote) to a vulnerable machine" in mitigation. Despite this, Trend Micro "strongly encourages customers to upgrade to the latest build as soon as possible."
Readers with a long memory might recall that this isn't the first time that the Trend Micro Password Manager has been found vulnerable. Way back on January 5, 2016, Google Project Zero's Tavis Ormandy revealed how a critical flaw enabled arbitrary command executions.
John Opdenakker, an ethical hacker with a particular interest in password managers, says the fact that an attacker needs access to the victim machine means that actor has other options to escalate privileges and steal passwords anyway. However, this doesn't worry Opdenakker as much as "the fact that malicious code can run under a process signed by Trend Micro, which might give attackers a way to evade detection by Trend Micro," which is "something they might be a lot more interested in."
As for advice if you are a worried user of the Trend Micro Password Manager product, Opdenakker insists that password managers are still the most secure way to manage passwords. "Using weak passwords or even worse, reusing passwords is much riskier than using a password manager," he says, adding "it's far more likely that you will become the victim of credential stuffing or dictionary attacks than this kind of vulnerability."
I'd recommend following the final piece of advice from Opedenakker, which is to "always keep your password manager and OS patched and use good antivirus software."