0

There is a Remote Code Execution Vulnerability in Unity, it sounds like a vulnerability that someone can infect you after they trick you click something, I guess. So assume I hadn't installed the patch, and I worked on a local project (one man project) on my computer (I still used the internet) and I wouldn't install any asset to my project (I just self made the asset), I only connected my work to github, private Repository. Could I get infected?

123iamking
  • 235
  • 2
  • 3
  • 9

1 Answers1

1

A tough question to answer. While it's always safer to just update since a patch is available from the vendor + updating shouldn't be too much of a burden since it's just you working on your project. But nevertheless, let me try to lay out the facts.

  1. There's no publicly available exploit - it doesn't look like the researcher or the vendor has provided much information regarding exploiting this vulnerability. All I could find was that there is an input string validation that leads to RCE. Know that the lack of an availabile exploit does reduce chances of exploits being found in the wild.

  2. While I did not find any CVSS on the vendor's website, the NVD CVSS does indicate that this vulnerability can be exploited remotely. If this is true, then I assume that even if you are working alone, but connected to the internet, this vulnerability may be exploitable, hard to tell for sure without knowing the vulnerable component and how it works. That said, NVD CVSS is not 100% trustable in my opinion, but still a point to note when analyzing.

  3. This is a rather old vulnerability and being an RCE, honestly, I'd just recommend patching up. The vendor did promise to release more information about it once they gave their customers time to update but still haven't (the vulnerability received a CVE in 2017). On the plus side, a tweet from the vulnerability finder did mention that they fixed it very quickly (kudos!). Alternatively, they have also released a mitigation tool for those versions that don't have a direct patch. Note - according to the vnedor, the mitigation tool is not a permanent solution and just disables the vulnerable component (check if this component is remotely accessible!).

Again, I'm just stating what's already known. When it comes to patching, other than any heavy effort/downtime, I would not weigh anything against updating (especially for security). If you're working standalone and it's easy to update, I would always advocate patching up :)

Izy-
  • 853
  • 1
  • 8
  • 17
  • The tweet is dated from august 2017, it's seems a bit odd that a quick fix would take more than a year to be published. moreover the CVE as been reserved february 26th. So while it seems that the bug was fixed quickly, the tweet doesn't seem to refer to this vulnerability – Sefa Mar 05 '19 at 10:59