CVE-2023-29080: Security patch for the possible privileged escalation scenarios identified in InstallShield

Yes

Summary

Adding an InstallScript custom action to a Basic MSI or InstallScript MSI project extracts few binaries to a predefined writable folder during installation time. The standard user account has write access to these files and folders, hence replacing them during installation time can lead to a DLL hijacking vulnerability. Revenera has issued a security patch to correct this flaw.

Resolution

This security fix avoids using known folders and only extracts to a new random secured folder every time the setup is launched. These secured folders have proper access controls so that the standard user cannot access them in all possible scenarios.

Patch for InstallShield 2021 R2

To apply the fix, download the InstallShield 2021 R2 Security Patch.exe and run it on the machine that has either InstallShield 2021 R2 or Standalone Build (SAB) products installed.

Patch for InstallShield 2022 R2

To apply the fix, download the InstallShield 2022 R2 Security Patch.exe and run it on the machine that has either InstallShield 2022 R2 or Standalone Build (SAB) products installed.

To run the patch installation silently:

Download the security patch setup to a temporary folder on the machine on which you want to apply the fix.

Download the  ISSecurityPatchSilentResponseFile.zip file, extract the ISSecurityPatchSilentResponseFile.iss file from the .zip file, and place the ISSecurityPatchSilentResponseFile.iss file in the same folder as the ‘InstallShield 2022 R2 Security Patch.exe’ or ‘InstallShield 2021 R2 Security Patch.exe’ patch file.
Open a Command Prompt window with elevated privileges. (To do so, right-click the shortcut for the Command Prompt window, and then click Run as administrator.)
Run the following command:
"C:\Path\InstallShield <Version> R2 Security Patch.exe" /s /f1"C:\Path\ISSecurityPatchSilentResponseFile.iss"
where the path (C:\Path\) is replaced with the appropriate location and the <Version> is replaced with either 2022 or 2021.

When the patch is run, it will correct all the identified security flaws in the above products that are installed on the machine.

To determine if the InstallShield Hotfix has been installed, verify the version of the following files:

The following files will be updated to version 28.0.0.763 (InstallShield 2022 R2) and version 27.0.0.126 (InstallShield 2021 R2):

<ISInstallLocation>\Redist\Language Independent\i386

ISSetup.dll
setup.exe
setupPreReq.exe
SFHelper.dll

<ISInstallLocation>\Redist\Language Independent\x64

setup.exe
setupPreReq.exe
SFHelper.dll

<ISInstallLocation>\Redist\Language Independent\i386\ISP

ISSetup.dll
setup.exe
Setup.ocx

<ISInstallLocation>\System

ISSetup.dll

ch_eng2 · ‎Mar 07, 2023

This installer did not run on our server with InstallShield 2022 R2 Standalone Build installed, but gave the error message "InstallShield 2022 R2 must be installed to run this update. The setup will now exit."

This patch did work on the workstation where the IDE is installed.

Please advise.

Varaprasad · ‎Mar 09, 2023

Hi @ch_eng2 ,

Thank you for contacting us. Updated patch installer to consider Standalone Build (SAB) upgrade scenario. Please check now.

ch_eng2 · ‎Mar 10, 2023

@Varaprasad It worked now, thank you!

prateek_v · ‎Mar 13, 2023

@Varaprasad Is there a CVE ID associated with this?

cvirata · ‎Mar 31, 2023

@prateek_v This issue has been assigned as CVE-2023-29080.

AlexLin · ‎May 08, 2023

This patch does not work if I have supported files in Basic MSI and build without setup launcher. Normal user still has write access to the folder for the supported files.

HarryHengster · ‎Jun 29, 2023

@cvirata can you confirm whether this fix is included in InstallShield 2023 R1 or if a patch would be needed.

cvirata · ‎Jun 29, 2023

@HarryHengster - Yes, the fix is included in InstallShield 2023 R1. It is listed as issue number IOJ-2249258 under the Resolved Issues section of the InstallShield 2023 R1 Release Notes.