On November 20th, 2024, Zero Day Initiative (ZDI) researchers disclosed a critical flaw in 7-Zip.
This widely used open-source file archiving software enables remote actors to perform remote code execution (RCE) on vulnerable 7-Zip versions. This vulnerability was originally discovered earlier this year and was reported to 7-Zip in June 2024.
Technical Details
Tagged as CVE-2024-11477, this vulnerability exists within the implementation of Zstandard decompression, specifically affecting 7-Zip’s Zstandard decompression library. The issue comes from the inadequate validation of user-supplied data during the decompression process, which can cause an integer underflow. When this occurs, threat actors can execute arbitrary code within the affected process.
It should be noted that although user interaction is required to exploit this vulnerability, attack vectors can vary depending on 7-Zip’s implementation within a system.
Despite CVE-2024-11477 having a CVSS score of 7.8 and a high severity rating, it’s important to note that there are no active exploitations of this vulnerability in the wild as of this writing. However, we found that a malicious actor had uploaded a link to a fake proof-of-concept (PoC) file of the 7-Zip flaw on GitHub, leading to a phishing landing page.
The URL was flagged as malicious on VirusTotal.
It’s important to remember that malicious email campaigns often rely on compressed attachments to spread malware. If an exploit is developed to weaponize this vulnerability you can expect to see activity around CVE-2024-11477 increase tremendously.
Mitigations
To mitigate this risk, users and organizations are strongly advised to update to 7-Zip version 24.07 or later immediately. Users are also reminded to remain vigilant when opening archive files, especially if they come from untrusted sources.
