Eddie Windows installer - Vulnerability disclosure - ​NSIS bug 1125

[Staff 9972]

Hello!

 

Vulnerability affecting Eddie for Windows installing packages downloaded earlier than Tue May 15 12:51:22 UTC 2018 in already compromised systems.

 

Any other package type for Windows and any package type for any Operating System is not and has never been affected.

 

Eddie Windows NSIS installers have three vulnerabilities described in ​NSIS bug 1125. The most serious of these issues (#1) allows running unsolicited code and an escalation of privilege attack using DLL Search Order Hijacking (​CAPEC-471) as Eddie Windows installers are generally executed with Admin privileges. What NSIS/Windows does is actually prefer loading DLLs in the current directory, which in case of the Downloads folder is writable by the user. Thus the vulnerability is trivial to exploit, but only if the attacker has already managed to get a malicious DLL into user's Downloads folder

https://sourceforge.net/p/nsis/bugs/1125/

 

This issue was brought to our attention by Kushal Arvind Shah of Fortinet's FortiGuard Labs

on May 14, 2018 and fixed by us Tue May 15 12:51:22 UTC 2018 in any Eddie 2.13.* Windows installer releases and above. Download of older versions has been disabled.

 

Side note: any Eddie version older than 2.13.6 for any system has now been removed from the download list. Such versions are obsolete and the removal complies to security considerations as well as compatibility considerations with the developments of the respective Operating Systems.

[Guest]

Nicely done by the fortinet guys for identifying and reporting the issue and to the developers for fixing the issue. The good news is that it had to be a targetted attack for it to work which would be improbable to happen to 99.99999% of users.