March 2019 Security Update Advisory (CVE-2019-9197)

 

Vulnerabilities Details

Remediation Steps

FAQ

References

Vulnerability Details

CVE ID:

CVE-2019-9197

Type:

Remote Code Execution

Discovered:

2018/11/15

Discovered By:

rgod of 9sg Security Team - rgod@9sgsec.com working with Trend Micro’s Zero Day Initiative

Patch Availability:

2019/03/04

Affected Operating System:

Windows

Affected Versions:

All (Windows)

Severity:

High

Patch Versions: p class="bg-lg">
  • [1] 2019.2.0a7 (Win), size= 795,664bytes, md5=6fcde1045cc4af7f84ba4f820f5db868
  • [2] 2019.1.0b5 (Win), size= 696,212 kB, md5: d2ec9e0dc974adfd0e465ffe2e3f1c23
  • [3] 2018.3.7f1 (Win), size=570,279kB, md5=6fcde1045cc4af7f84ba4f820f5db868
  • [4] 2018.2.21f1 (Win), size=580,009kB, md5=1b87b98c936c81148a99c879386e676c
  • [5] 017.4.22f1 (Win), size=527,486kB, md5=8cb0783f22dc5bfc80d2f170472aefbf
  • [6] 5.6.7f1 (Win), size=554,855kB, md5=d761d8c151007ce2474ddc9d468abc02

Vulnerability Details

An input string validation issue was identified in the Unity Editor affecting the Windows platform that could lead to Remote Code Execution (RCE), allowing an attacker to potentially execute code remotely in the user’s computer.

Remediation Steps

Determine the version of your Unity Editor

Open a Unity project

The Unity version is visible in the main window title.

description

In the File menu choose Help -> About Unity.

description

The Unity version is shown in the About Unity window.

description

Install Update

If your version of the Unity Editor is not one of the listed Patch Versions of the Vulnerabilities Details section above you can continue with the update installation as follows.

To install the update you can use the Unity Editor update checker available in the File menu Help -> Check for Updates.

description

Additionally, you can download and install the corresponding patch for your version of the Unity Editor. The download links are available in the Patch Versions of the Vulnerabilities Details section and in the References section.

Mitigation Tool

If your version of the Unity Editor is not listed, or you are unable to install the update at this time, you can use the Mitigation Tool Guide [7].

Please keep in mind the recommended action is to install a fixed version of the Unity Editor.

FAQ

What type of vulnerability was addressed in this update?

An input string validation issue was identified that could lead to remote code execution (RCE), allowing an attacker to potentially execute code remotely in the user’s computer.

What platforms are affected?

Windows only. Mac and Linux platforms are not affected by the identified vulnerability.

What versions of Unity are affected?

All versions of the Unity Editor running on Windows.

What versions of the Unity Editor are being patched?

We have released a patch for the latest Unity Editor versions of 5.6 and all officially supported versions up to 2019.2 Alpha. All future versions will contain the update as well.

Will my specific version be patched?

Unity will be releasing a single patch to each of the most current, i.e., last update of the Unity Editor.

What about versions older than 5.6?

We are providing a mitigation tool that disables the identified vulnerable feature of the Unity Editor which can be downloaded from the Mitigation Tool Guide[7].

Please take into account that the mitigation is not a patch and has limitations. The mitigation will disable the Unity Editor feature identified as vulnerable, but since we can not control whether the affected functionality becomes re-enabled at some point after applying the mitigation, we strongly recommend updating to a fixed version of the Unity Editor to get the benefits of the full patch. You will also no longer be able to use the ‘Open in Unity’ functionality in the web browser version of the Asset Store after applying the mitigation.

Does the mitigation tool work for versions newer than 5.6? Can I use the mitigation tool instead of patching?

The mitigation tool can be used on all affected versions of the Unity Editor.

Please take into account that the mitigation is not a patch and has limitations. The mitigation will disable the Unity Editor feature identified as vulnerable, but since we can not control whether the affected functionality becomes re-enabled at some point after applying the mitigation, we strongly recommend updating to a fixed version of the Unity Editor to get the benefits of the full patch. You will also no longer be able to use the ‘Open in Unity’ functionality in the web browser version of the Asset Store after applying the mitigation.

I run multiple versions of Unity, do I have to apply the mitigation tool for all of them?

No, by running it once it deactivates the identified vulnerable component across all of them. Do keep in mind that by re-installing or updating (one) of the versions, it may activate the component again. To check, re-run the workaround tool until all versions are up to date

Can I just use the mitigation tool and never move to a patched version?

The mitigation will disable the Unity Editor feature identified as vulnerable, but since we can not control whether the affected functionality becomes re-enabled at some point after applying the mitigation, we strongly recommend updating to a fixed version of the Unity Editor to get the benefits of the full patch. You will also no longer be able to use the ‘Open in Unity’ functionality in the web browser version of the Asset Store after applying the mitigation.

I have a locked-down older version of Unity 5.x.x. Will you produce a patch for the exact version of Unity that I’m using

Our focus right now is on addressing the identified vulnerability in 5.6 and all officially supported versions up to 2019.2 Alpha. We do not have any details to share on patches for other versions at this time.

Will I need to rebuild asset bundles due to the update requirement?

It depends on the specific version of the Unity Editor that you are using. Most customers will be able to update to the patched versions without needing to rebuild their bundles, but some customers may find that asset importers have been updated between the version they are currently using and the patch for that dot-release. For those customers, asset bundle rebuilding may be necessary.

How do I know if I’ll need to rebuild my asset bundles?

You may need to rebuild your bundles if any assets are re-imported when you first open your project in the patched version of the Unity Editor.

References