• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Download VulnDetect Installer
  • Login
SecTeer VulnDetect & PatchPro Support Forum VulnDetect
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Download VulnDetect Installer
  • Login

unacev2.dll - App-Request

Scheduled Pinned Locked Moved App Requests
2 Posts 2 Posters 1.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A Offline
    Anselm
    last edited by Anselm 17 Mar 2019, 07:18

    There is a vulnerability in the old version of unacev2.dll:
    Attackers Exploiting WinRAR UNACEV2.DLL Vulnerability (CVE-2018-20250) | McAfee Blogs
    https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/attackers-exploiting-winrar-unacev2-dll-vulnerability-cve-2018-20250/

    0patch Blog: No Source Code For a 14-Year Old Vulnerable DLL? No Problem. (CVE-2018-20250)
    https://blog.0patch.com/2019/02/no-source-code-for-14-year-old.html

    Total Commander offers a download for the fixed version:

    Total Commander - Mailing
    https://www.ghisler.com/mailing.htm

    https://www.totalcommander.ch/win/unacev2_fixed.zip

    File name and path:     C:\prg\unacev2_fixed\UNACEV2.DLL
Product Name:           UNACE - freeware ACE extraction component
Internal Name:          UnAceV2.Dll
Original Filename:      UnAceV2.Dll

File Description:       UNACE Dynamic Link Library
Company:                ACE Compression Software
Legal Copyright:        ACE Compression Software, 2000-2019
Legal Trademarks:       ACE Compression Software, 2000-2019
Comments:               

File Version String:    2.6.2.0
File Version:           2.6.2.0
Product Version String: 2.6.2.0
Product Version:        2.6.1.0

    This is the version with vulnerability:

    File name and path:     C:\totalcmd\UNACEV2.DLL
Product Name:           UNACE - freeware ACE extraction component
Internal Name:          UnAceV2.Dll
Original Filename:      UnAceV2.Dll

File Description:       UNACE Dynamic Link Library
Company:                ACE Compression Software
Legal Copyright:        ACE Compression Software, 2000-2005
Legal Trademarks:       ACE Compression Software, 2000-2005
Comments:               

File Version String:    2.6.0.0
File Version:           2.6.0.0
Product Version String: 2.6.0.0
Product Version:        2.6.0.0
    1 Reply Last reply Reply Quote 0
    • T Offline
      Tom VulnDetect Team Member
      last edited by 17 Mar 2019, 10:44

      This is a very interesting case indeed.

      While VulnDetect has the capability of detecting libraries, then this is beyond the current scope of VulnDetect.

      However, due to the fact that this is being actively exploited and I can see that there is a LOT of software, including Avira AntiVir, WinRAR, XnView, PeaZip, Bandizip, SpeedCommander, and tonnes of software I never heard about, that utilizes it and sounds like it could provide attack vectors, I will add it for now.

      But do not expect us to support libraries in general, anytime soon.

      Later in the week, when the second iteration of our bundling is going live, then I will let the security state of unacev2.dll affect the state of the parent program.

      /Tom
      Download the latest SecTeer VulnDetect agent here:
      https://vulndetect.com/dl/secteerSetup.exe

      1 Reply Last reply Reply Quote 0
      2 out of 2
      • First post
        2/2
        Last post
      Download SecTeer Personal VulnDetect - an alternative to the long lost Secunia PSI

      Please see our Privacy and Data Processing Policy
      Sponsored and operated by SecTeer | VulnDetect is a replacement for the EoL Secunia PSI
      Forum software by NodeBB