CVE-2021-20726 – This is a DLL hijacking vulnerability in Overwo... (How to Fix)

Q: What is the severity of CVE-2021-20726?

CVE-2021-20726 has a CVSS score of 7.8 (HIGH). This is a DLL hijacking vulnerability in Overwolf's installer that allows attackers to execute arbitrary code with user privileges by placing a malicious DLL in a directory searched by the installer. It affects users running Overwolf installer version 2.168.0.n or earlier. The vulnerability requires the attacker to trick the user into running the installer from a compromised location.

📋 TL;DR

This is a DLL hijacking vulnerability in Overwolf's installer that allows attackers to execute arbitrary code with user privileges by placing a malicious DLL in a directory searched by the installer. It affects users running Overwolf installer version 2.168.0.n or earlier. The vulnerability requires the attacker to trick the user into running the installer from a compromised location.

💻 Affected Systems

Products:

Overwolf

Versions: 2.168.0.n and earlier

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the installer component, not the main Overwolf application. Requires user interaction to run the installer from a compromised location.

📦 What is this software?

Overwolf by Overwolf

View all CVEs affecting Overwolf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through privilege escalation to SYSTEM if the installer is run with elevated privileges, leading to complete control of the affected system.

🟠

Likely Case

Local privilege escalation allowing execution of arbitrary code with the user's permissions, potentially leading to data theft, malware installation, or lateral movement.

🟢

If Mitigated

Limited impact if users only run installers from trusted sources and with minimal privileges, though the vulnerability still exists in the software.

🌐 Internet-Facing: LOW - This is primarily a local attack vector requiring the user to execute the installer from a compromised location.

🏢 Internal Only: MEDIUM - Internal attackers with access to shared directories could place malicious DLLs to exploit users running the installer from those locations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires social engineering to get users to run the installer from a malicious location. The DLL hijacking technique is well-known and relatively simple to implement.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 2.168.0.n

Vendor Advisory: https://www.overwolf.com/

Restart Required: No

Instructions:

1. Update Overwolf to the latest version. 2. If using an older installer, download the latest installer from the official Overwolf website. 3. Run the updated installer to complete the installation.

🔧 Temporary Workarounds

Safe Installation Practices

windows

Only run the Overwolf installer from trusted locations like the official download directory

DLL Search Path Hardening

windows

Use Windows policies to restrict DLL search paths for applications

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /t REG_DWORD /d 1 /f

🧯 If You Can't Patch

Restrict user permissions to prevent execution of installers from untrusted directories
Implement application whitelisting to only allow execution of verified Overwolf installers

🔍 How to Verify

Check if Vulnerable:

Check Overwolf installer version - if it's 2.168.0.n or earlier, the system is vulnerable

Check Version:

Check the installer filename or properties for version information

Verify Fix Applied:

Verify Overwolf is updated to a version after 2.168.0.n by checking the version in the application or installer

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs showing DLL loading from unusual directories during installer execution
Process creation events for Overwolf installer from non-standard locations

Network Indicators:

Unusual network connections originating from installer process

SIEM Query:

Process Creation where (Image contains 'Overwolf' OR ParentImage contains 'Overwolf') AND CommandLine contains 'install'

📊 Metadata

CVE ID: CVE-2021-20726

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-427

Published: May 24, 2021

Last Updated: November 21, 2024

🔗 References

https://jvn.jp/en/jp/JVN78254777/index.html Third Party Advisory
https://www.overwolf.com/ Vendor Advisory
https://jvn.jp/en/jp/JVN78254777/index.html Third Party Advisory
https://www.overwolf.com/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-20726, you might also want to check these: