CVE-2021-36216
📋 TL;DR
CVE-2021-36216 is a DLL injection vulnerability in LINE for Windows that allows attackers to execute arbitrary code by placing malicious DLL files in specific locations. This affects all LINE for Windows users running version 6.2.1.2289 or earlier. Attackers can gain full control of the affected system through this vulnerability.
💻 Affected Systems
- LINE for Windows
📦 What is this software?
Line by Linecorp
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining administrative privileges, installing malware, stealing credentials, and establishing persistence.
Likely Case
Local privilege escalation leading to data theft, ransomware deployment, or lateral movement within the network.
If Mitigated
Limited impact with proper application whitelisting and user privilege restrictions preventing successful exploitation.
🎯 Exploit Status
Exploitation requires local access to place malicious DLL files. Public HackerOne reports demonstrate successful exploitation techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.2.2 or later
Vendor Advisory: https://hackerone.com/reports/950688
Restart Required: Yes
Instructions:
1. Open LINE for Windows. 2. Click Settings (gear icon). 3. Select 'About LINE' to check current version. 4. If version is 6.2.1.2289 or earlier, download latest version from official LINE website. 5. Install the update and restart the application.
🔧 Temporary Workarounds
Application Whitelisting
windowsRestrict LINE application from loading DLLs from untrusted directories using Windows AppLocker or similar solutions.
# Configure AppLocker rules to restrict DLL loading for LINE executable
Remove Write Permissions
windowsRemove write permissions from directories where LINE searches for DLLs to prevent malicious DLL placement.
icacls "C:\Program Files\LINE\" /deny Users:(OI)(CI)W
icacls "%APPDATA%\LINE\" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Implement strict application control policies to prevent unauthorized DLL loading
- Run LINE application with minimal user privileges (not as administrator)
🔍 How to Verify
Check if Vulnerable:
Check LINE version by opening LINE > Settings > About LINE. If version is 6.2.1.2289 or lower, system is vulnerable.Check Version:
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | Where-Object {$_.DisplayName -like "LINE*"} | Select-Object DisplayName, DisplayVersionVerify Fix Applied:
After updating, verify version is 6.2.2 or higher in Settings > About LINE. Test by attempting to place test DLL in application directory - it should not load.📡 Detection & Monitoring
Log Indicators:
- Windows Event ID 4688 with LINE.exe loading DLLs from unusual locations
- Sysmon Event ID 7 (Image loaded) for LINE.exe loading unexpected DLLs
Network Indicators:
- Unusual outbound connections from LINE process after DLL load
- Beaconing traffic patterns from LINE.exe
SIEM Query:
source="windows" (EventCode=4688 OR EventCode=7) Image="*LINE.exe" (NewProcessName="*dll" OR ImageLoaded="*dll") | stats count by Image, ImageLoaded, User