cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

CVE-2023-29080: Security patch for the possible privileged escalation scenarios identified in InstallShield 

CVE-2023-29080: Security patch for the possible privileged escalation scenarios identified in InstallShield 

Summary 

Adding an InstallScript custom action to a Basic MSI or InstallScript MSI project extracts few binaries to a predefined writable folder during installation time. The standard user account has write access to these files and folders, hence replacing them during installation time can lead to a DLL hijacking vulnerability. Revenera has issued a security patch to correct this flaw. 

Resolution

This security fix avoids using known folders and only extracts to a new random secured folder every time the setup is launched. These secured folders have proper access controls so that the standard user cannot access them in all possible scenarios. 

Patch for InstallShield 2021 R2 

To apply the fix, download the InstallShield 2021 R2 Security Patch.exe and run it on the machine that has either InstallShield 2021 R2 or Standalone Build (SAB) products installed. 

Patch for InstallShield 2022 R2 

To apply the fix, download the InstallShield 2022 R2 Security Patch.exe and run it on the machine that has either InstallShield 2022 R2 or Standalone Build (SAB) products installed. 
 

To run the patch installation silently: 

Download the security patch setup to a temporary folder on the machine on which you want to apply the fix. 

  1. Download the  ISSecurityPatchSilentResponseFile.zip file, extract the ISSecurityPatchSilentResponseFile.iss file from the .zip file, and place the ISSecurityPatchSilentResponseFile.iss file in the same folder as the ‘InstallShield 2022 R2 Security Patch.exe’ or ‘InstallShield 2021 R2 Security Patch.exe’ patch file. 

  2. Open a Command Prompt window with elevated privileges. (To do so, right-click the shortcut for the Command Prompt window, and then click Run as administrator.) 

  3. Run the following command: 
    "C:\Path\InstallShield <Version> R2 Security Patch.exe" /s /f1"C:\Path\ISSecurityPatchSilentResponseFile.iss" 
    where the path (C:\Path\) is replaced with the appropriate location and the <Version> is replaced with either 2022 or 2021.

When the patch is run, it will correct all the identified security flaws in the above products that are installed on the machine.  

 To determine if the InstallShield Hotfix has been installed, verify the version of the following files: 

The following files will be updated to version 28.0.0.763 (InstallShield 2022 R2) and version 27.0.0.126 (InstallShield 2021 R2): 
 
<ISInstallLocation>\Redist\Language Independent\i386 

  • ISSetup.dll 
  • setup.exe 
  • setupPreReq.exe 
  • SFHelper.dll 
     

<ISInstallLocation>\Redist\Language Independent\x64 

  • setup.exe 
  • setupPreReq.exe 
  • SFHelper.dll  
     

<ISInstallLocation>\Redist\Language Independent\i386\ISP 

  • ISSetup.dll
  • setup.exe 
  • Setup.ocx 
     

<ISInstallLocation>\System 

  • ISSetup.dll 
No ratings
Comments

This installer did not run on our server with InstallShield 2022 R2 Standalone Build installed, but gave the error message "InstallShield 2022 R2 must be installed to run this update. The setup will now exit."

This patch did work on the workstation where the IDE is installed.

Please advise.

Hi @ch_eng2 ,

Thank you for contacting us. Updated patch installer to consider Standalone Build (SAB) upgrade scenario. Please check now.

@Varaprasad It worked now, thank you!

@Varaprasad Is there a CVE ID associated with this?

@prateek_v This issue has been assigned as CVE-2023-29080. 

This patch does not work if I have supported files in Basic MSI and build without setup launcher. Normal user still has write access to the folder for the supported files.

@cvirata can you confirm whether this fix is included in InstallShield 2023 R1 or if a patch would be needed.

@HarryHengster - Yes, the fix is included in InstallShield 2023 R1. It is listed as issue number IOJ-2249258 under the Resolved Issues section of the InstallShield 2023 R1 Release Notes.

Version history
Last update:
‎Mar 31, 2023 09:24 AM
Updated by:
Contributors