CVE-2016-10157
📋 TL;DR
CVE-2016-10157 is a DLL hijacking vulnerability in Akamai NetSession that allows attackers to execute arbitrary code by placing a malicious CSUNSAPI.dll file where the application searches for it. This affects all users running the vulnerable version of Akamai NetSession software. The vulnerability is particularly dangerous because the legitimate DLL is missing, making exploitation easier.
💻 Affected Systems
- Akamai NetSession
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local privilege escalation or arbitrary code execution within the context of the Akamai NetSession process, allowing attackers to install malware, steal credentials, or establish persistence.
If Mitigated
Limited impact with proper application whitelisting and user privilege restrictions preventing successful exploitation.
🎯 Exploit Status
Exploitation requires local access to place the malicious DLL in a directory where Akamai NetSession will search for it. Public proof-of-concept code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 1.9.3.1
Vendor Advisory: https://web.archive.org/web/20170101000000*/https://blogs.akamai.com/
Restart Required: Yes
Instructions:
1. Uninstall Akamai NetSession 1.9.3.1. 2. Download and install the latest version from Akamai's official website. 3. Restart the system to ensure all components are properly loaded.
🔧 Temporary Workarounds
Create dummy CSUNSAPI.dll
windowsCreate an empty or legitimate CSUNSAPI.dll file in the application directory to prevent malicious DLL loading
copy NUL "C:\Program Files\Akamai\NetSession\CSUNSAPI.dll"
Restrict write permissions
windowsRemove write permissions from directories where Akamai NetSession searches for DLLs
icacls "C:\Program Files\Akamai\NetSession" /deny Everyone:(W)
🧯 If You Can't Patch
- Remove Akamai NetSession 1.9.3.1 completely from affected systems
- Implement application whitelisting to prevent execution of unauthorized DLLs
🔍 How to Verify
Check if Vulnerable:
Check if Akamai NetSession version 1.9.3.1 is installed and if CSUNSAPI.dll is missing from the installation directoryCheck Version:
wmic product where "name like 'Akamai%'" get versionVerify Fix Applied:
Verify that Akamai NetSession is updated to a version later than 1.9.3.1 and that CSUNSAPI.dll exists in the application directory📡 Detection & Monitoring
Log Indicators:
- Failed DLL loading attempts for CSUNSAPI.dll
- Unexpected process creation from Akamai NetSession
Network Indicators:
- Unusual outbound connections from Akamai NetSession process
- DNS queries to suspicious domains
SIEM Query:
Process Creation where Image contains 'Akamai' AND ParentImage contains 'explorer.exe' AND CommandLine contains 'dll'