Flexera InstallShield

Monitor7.3ICS-CERT ICSA-20-287-03Oct 13, 2020

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

Flexera InstallShield through version 2015 SP1 contains a DLL loading vulnerability (CWE-426) that could allow an attacker with local access to execute arbitrary code. Successful exploitation requires user interaction and local access to a machine running the vulnerable software. The vulnerability is not remotely exploitable. The vendor has not released a patch for affected versions and has not indicated plans to do so.

What this means

What could happen

An attacker with local access could execute malicious code on an engineering workstation or deployment system running InstallShield, potentially compromising the integrity of software packages being developed or deployed to control systems.

Who's at risk

Organizations that use Flexera InstallShield on engineering workstations or build/deployment servers, particularly those developing software packages for deployment to industrial control systems or SCADA applications. This affects IT and OT teams responsible for software distribution and package management.

How it could be exploited

An attacker must first gain local access to a machine running vulnerable InstallShield versions. The vulnerability allows execution of a malicious DLL, likely through a crafted installation package or by manipulating DLL search paths during an InstallShield operation. Exploitation requires the user to interact with or open a malicious file (user interaction required).

Prerequisites

Local access to the workstation running InstallShield
InstallShield version 2015 SP1 or earlier installed
User interaction with a malicious file or installation package

Local exploitation only (not remotely exploitable)User interaction requiredNo patch available from vendorEnd-of-life product

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

InstallShield: through 2015 SP1≤ 2015 SP1No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDContact Flexera product support for guidance on mitigations and workarounds for your specific InstallShield deployment

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade to InstallShield versions after 2015 SP1 if available from Flexera

Mitigations - no patch available

0/2

InstallShield: through 2015 SP1 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGRestrict local access to engineering workstations running InstallShield; limit which users can execute InstallShield operations

HARDENINGTrain users to avoid opening unsolicited email attachments and clicking untrusted links that could deliver malicious installation packages

CVEs (1)

CVE-2016-2542

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/36ebe986-1d76-4afc-8fd6-ed72b0bdc322