SecTeer VulnDetect & PatchPro Support Forum VulnDetect
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Download VulnDetect Installer
    • Login

    unacev2.dll - App-Request

    Scheduled Pinned Locked Moved App Requests
    2 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      Anselm
      last edited by Anselm

      There is a vulnerability in the old version of unacev2.dll:
      Attackers Exploiting WinRAR UNACEV2.DLL Vulnerability (CVE-2018-20250) | McAfee Blogs
      https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/attackers-exploiting-winrar-unacev2-dll-vulnerability-cve-2018-20250/

      0patch Blog: No Source Code For a 14-Year Old Vulnerable DLL? No Problem. (CVE-2018-20250)
      https://blog.0patch.com/2019/02/no-source-code-for-14-year-old.html

      Total Commander offers a download for the fixed version:

      Total Commander - Mailing
      https://www.ghisler.com/mailing.htm

      https://www.totalcommander.ch/win/unacev2_fixed.zip

      File name and path:     C:\prg\unacev2_fixed\UNACEV2.DLL
Product Name:           UNACE - freeware ACE extraction component
Internal Name:          UnAceV2.Dll
Original Filename:      UnAceV2.Dll

File Description:       UNACE Dynamic Link Library
Company:                ACE Compression Software
Legal Copyright:        ACE Compression Software, 2000-2019
Legal Trademarks:       ACE Compression Software, 2000-2019
Comments:               

File Version String:    2.6.2.0
File Version:           2.6.2.0
Product Version String: 2.6.2.0
Product Version:        2.6.1.0

      This is the version with vulnerability:

      File name and path:     C:\totalcmd\UNACEV2.DLL
Product Name:           UNACE - freeware ACE extraction component
Internal Name:          UnAceV2.Dll
Original Filename:      UnAceV2.Dll

File Description:       UNACE Dynamic Link Library
Company:                ACE Compression Software
Legal Copyright:        ACE Compression Software, 2000-2005
Legal Trademarks:       ACE Compression Software, 2000-2005
Comments:               

File Version String:    2.6.0.0
File Version:           2.6.0.0
Product Version String: 2.6.0.0
Product Version:        2.6.0.0
      1 Reply Last reply Reply Quote 0
      • T Offline
        Tom VulnDetect Team Member
        last edited by

        This is a very interesting case indeed.

        While VulnDetect has the capability of detecting libraries, then this is beyond the current scope of VulnDetect.

        However, due to the fact that this is being actively exploited and I can see that there is a LOT of software, including Avira AntiVir, WinRAR, XnView, PeaZip, Bandizip, SpeedCommander, and tonnes of software I never heard about, that utilizes it and sounds like it could provide attack vectors, I will add it for now.

        But do not expect us to support libraries in general, anytime soon.

        Later in the week, when the second iteration of our bundling is going live, then I will let the security state of unacev2.dll affect the state of the parent program.

        /Tom
        Download the latest SecTeer VulnDetect agent here:
        https://vulndetect.com/dl/secteerSetup.exe

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Download SecTeer Personal VulnDetect - an alternative to the long lost Secunia PSI

        Please see our Privacy and Data Processing Policy
        Sponsored and operated by SecTeer | VulnDetect is a replacement for the EoL Secunia PSI
        Forum software by NodeBB