JVN#52168232
UNLHA32.DLL, UNARJ32.DLL, LHMelting and LMLzh32.DLL may insecurely load Dynamic Link Libraries

Overview

UNLHA32.DLL, UNARJ32.DLL, LHMelting and LMLzh32.DLL provided by Micco may insecurely load Dynamic Link Libraries.

Products Affected

CVE-2018-16189

• UNLHA32.DLL for Win32 prior to Ver 3.00

• UNLHA32.DLL for Win32 Ver 2.67.1.2 and earlier
• UNARJ32.DLL for Win32 Ver 1.10.1.25 and earlier
• LHMelting for Win32 Ver 1.65.3.6 and earlier
• LMLzh32.DLL Ver 2.67.1.2 and earlier

Description

UNLHA32.DLL, UNARJ32.DLL, LHMelting and LMLzh32.DLL provided by Micco contain vulnerabilities listed below.

• Self-Extracting Archives created by UNLHA32.DLL may insecurely load Dynamic Link Libraries (CWE-427) - CVE-2018-16189

  CVSS v3	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	Base Score: 7.8
  CVSS v2	AV:N/AC:M/Au:N/C:P/I:P/A:P	Base Score: 6.8

• Insecurely load specific DLL file in the same directory (CWE-427) - CVE-2018-16190

  CVSS v3	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	Base Score: 7.8
  CVSS v2	AV:N/AC:M/Au:N/C:P/I:P/A:P	Base Score: 6.8

Impact

• Arbitrary code may be executed with the privilege of the user invoking a vulnerable self-extracting archive file. - CVE-2018-16189
• Arbitrary code may be executed with the privileges of the running applications. - CVE-2018-16190

Solution

Solution for CVE-2018-16189:
Update UNLHA32.DLL and Recreate Self-Extracting Archive files
According to the information provided by the developer, update the product which includes UNLHA32.DLL to the latest version and recreate self-extracting archive files.

Solution for CVE-2018-16190:
Update the software
Update to the latest version according to the information provided by the developer.