JVN#61502349: Self-Extracting Encrypted Files created by AttacheCase may insecurely load Dynamic Link Libraries

AttacheCase is an open source file encryption software provided by HiBARA Software. It can also create self-extracting encrypted files. Self-extracting encrypted files created by AttacheCase contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).

Impact

Arbitrary code may be executed with the privilege of the user invoking a vulnerable self-extracting encrypted file.

Solution

Update the Files
Update AttacheCase and re-encrypt the affected files according to the information by the developer.
AttacheCase ver2.x are no longer supported. HiBARA Software recommends AttacheCase ver4.x as the successor to AttacheCase ver2.x to re-encrypt the affected files.

Keep following the practice explained in the following workarounds to securely treat self-extracted encrypted files.
​
Apply Workarounds

• When invoking a self-extracting encrypted file, make sure no unrelated files exist within the same directory. It is best to copy the installer into a newly created directory and invoke it from that directory
• Make sure no untrusted files exist within the directory where the self-extracting encrypted file is invoked.
• If you have some shared directory within your organization to place self-extracting encrypted files, make sure that this shared directory is read-only for non-administrative users
• Operate self-extracting encrypted files using a standard user (non-administrator) account. Administrator accounts should be used only when necessary.

Products Affected

Self-extracting encrypted files created by the following software are affected:

• AttacheCase ver.2.8.3.0 and earlier - CVE-2017-2271
• AttacheCase ver.3.2.2.6 and earlier - CVE-2017-2272