Vulnerabilities (CVE-2023-40481, CVE-2023-31102) in 7-ZIP; fixed in version 23.00 (August 2023)

Posted on 2023-09-03 by guenni

Sicherheit (Pexels, allgemeine Nutzung)[German]A short update from the end of August 2023. Security researchers have found two vulnerabilities in the 7-Zip program, which is used to pack and unpack ZIP archive files. The vulnerabilities CVE-2023-40481 and CVE-2023-31102 are classified as high-risk from a security perspective. Attackers could possibly elevate privileges.

Advertising

I had reported about a vulnerability in WinRAR in the blog post WinRAR Code Execution Vulnerability CVE-2023-40477 at the end of August. German blog reader Ralf had pointed out later, that vulnerabilities in the packing program 7-ZIP has became publicin the discussion area – and Stefan Kanthak also sent me a mail with hints (thanks for that). Two serious vulnerabilities were published by the Zero-Day-Initiative.

CVE-2023-31102

CVE-2023-31102 is a 7Z File Parsing Integer Underflow Remote Code Execution vulnerability in 7-Zip that has been assigned a CVE score of 7.8 (i.e., risk is high). The Zero Day Initiative writes that this vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. User interaction is required to exploit this vulnerability because the target must visit a malicious page or open a malicious file.

The specific vulnerability exists is in the analysis of 7Z files. The problem results from the lack of proper validation of user-supplied data, which can lead to an integer underflow before writing to memory. An attacker can exploit this vulnerability to execute code in the context of the current process.

CVE-2023-40481

CVE-2023-40481 is a SquashFS File Parsing Out-Of-Bounds Write Remote Code Execution vulnerability in 7-Zip that has been assigned a CVE score of 7.8 (i.e., high risk). The vulnerability allows Romte attackers to execute arbitrary code on affected installations of 7-Zip. User interaction is also required to exploit this vulnerability, as the target must visit a malicious page or open a malicious file.

The specific vulnerability arises during the analysis of SQFS files due to the lack of proper validation of user-supplied data. This can cause a write operation to exceed the end of an allocated buffer. An attacker can exploit this vulnerability to execute code in the context of the current process.

Advertising

Patch available

Both vulnerabilities were reported to the 7-ZIP developers on November 21, 2022 and were closed (according to Zero Day Initiative from August 23, 2023) with an update of the software to version 23.00 (at that time still beta). Thus, anyone using the program should update to the newest version. Currently version 23.01 is offered for download.

Advertising
This entry was posted in Security, Software, Update and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).