CVE-2018-0649

Vulnerability

The installers of multiple Canon IT Solutions Inc. security products — including ESET Smart Security Premium, ESET Internet Security, ESET Smart Security, ESET NOD32 Antivirus, DESlock+ Pro, and CompuSec (all programs except packaged ones) — contain an untrusted search path vulnerability (CWE-427) due to an insecure DLL search path [1]. All installer versions with digital timestamps before July 10, 2018 are affected [1].

Exploitation

An attacker must place a specially crafted Trojan horse DLL in an unspecified directory where the installer is executed, such as the same directory as the installer file or the Windows search path [1]. The user must then run the installer with normal user privileges, which triggers the insecure DLL loading sequence [1].

Impact

If the lure DLL is loaded, arbitrary code execution occurs with the privileges of the user invoking the installer [1]. This can lead to full compromise of the affected user’s system, including disclosure, modification, or destruction of data, and installation of further malware [1].

Mitigation

Canon IT Solutions Inc. has provided updated installers with digital timestamps on or after July 10, 2018 that fix the issue [1]. Users should download and use the latest installer from the vendor's official site. As a workaround, users should verify that no suspicious files exist in the directory where the installer resides before executing it [1]. The vulnerability affects only the installer itself; already-installed programs are not at risk [1].