unacev2.dll - App-Request



  • There is a vulnerability in the old version of unacev2.dll:
    Attackers Exploiting WinRAR UNACEV2.DLL Vulnerability (CVE-2018-20250) | McAfee Blogs
    https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/attackers-exploiting-winrar-unacev2-dll-vulnerability-cve-2018-20250/

    0patch Blog: No Source Code For a 14-Year Old Vulnerable DLL? No Problem. (CVE-2018-20250)
    https://blog.0patch.com/2019/02/no-source-code-for-14-year-old.html

    Total Commander offers a download for the fixed version:

    Total Commander - Mailing
    https://www.ghisler.com/mailing.htm

    https://www.totalcommander.ch/win/unacev2_fixed.zip

    File name and path:     C:\prg\unacev2_fixed\UNACEV2.DLL
    Product Name:           UNACE - freeware ACE extraction component
    Internal Name:          UnAceV2.Dll
    Original Filename:      UnAceV2.Dll
    
    File Description:       UNACE Dynamic Link Library
    Company:                ACE Compression Software
    Legal Copyright:        ACE Compression Software, 2000-2019
    Legal Trademarks:       ACE Compression Software, 2000-2019
    Comments:               
    
    File Version String:    2.6.2.0
    File Version:           2.6.2.0
    Product Version String: 2.6.2.0
    Product Version:        2.6.1.0
    

    This is the version with vulnerability:

    File name and path:     C:\totalcmd\UNACEV2.DLL
    Product Name:           UNACE - freeware ACE extraction component
    Internal Name:          UnAceV2.Dll
    Original Filename:      UnAceV2.Dll
    
    File Description:       UNACE Dynamic Link Library
    Company:                ACE Compression Software
    Legal Copyright:        ACE Compression Software, 2000-2005
    Legal Trademarks:       ACE Compression Software, 2000-2005
    Comments:               
    
    File Version String:    2.6.0.0
    File Version:           2.6.0.0
    Product Version String: 2.6.0.0
    Product Version:        2.6.0.0
    

  • VulnDetect Team Member

    This is a very interesting case indeed.

    While VulnDetect has the capability of detecting libraries, then this is beyond the current scope of VulnDetect.

    However, due to the fact that this is being actively exploited and I can see that there is a LOT of software, including Avira AntiVir, WinRAR, XnView, PeaZip, Bandizip, SpeedCommander, and tonnes of software I never heard about, that utilizes it and sounds like it could provide attack vectors, I will add it for now.

    But do not expect us to support libraries in general, anytime soon.

    Later in the week, when the second iteration of our bundling is going live, then I will let the security state of unacev2.dll affect the state of the parent program.