CVE-2021-33453 – CVE-2021-33453 is a use-after-free vulnerabilit... (How to Fix)

📋 TL;DR

CVE-2021-33453 is a use-after-free vulnerability in lrzip version 0.641 that occurs in the ucompthread() function. This vulnerability could allow attackers to execute arbitrary code or cause denial of service by exploiting memory corruption. Users and systems running the affected lrzip version are at risk.

💻 Affected Systems

Products:

lrzip

Versions: Version 0.641 specifically

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Any system using lrzip 0.641 for compression/decompression operations is vulnerable. The vulnerability is triggered during archive processing.

📦 What is this software?

Long Range Zip by Long Range Zip Project

View all CVEs affecting Long Range Zip →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash causing denial of service, potentially leading to data corruption in compression/decompression operations.

🟢

If Mitigated

Limited impact with proper sandboxing and privilege separation, potentially only causing application termination.

🌐 Internet-Facing: MEDIUM - Requires user interaction (processing malicious archives) but could be exploited via web interfaces or automated systems.

🏢 Internal Only: MEDIUM - Similar risk profile as internet-facing, but attack surface limited to internal users and systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Proof-of-concept code is publicly available in GitHub issues. Exploitation requires crafting a malicious archive file that triggers the use-after-free condition.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 0.642 and later

Vendor Advisory: https://github.com/ckolivas/lrzip/issues/199

Restart Required: No

Instructions:

1. Check current lrzip version: lrzip --version
2. Update using package manager: sudo apt update && sudo apt upgrade lrzip (Debian/Ubuntu) or sudo yum update lrzip (RHEL/CentOS)
3. Alternatively, compile from source: git clone https://github.com/ckolivas/lrzip && cd lrzip && make && sudo make install

🔧 Temporary Workarounds

Disable lrzip usage

linux

Temporarily disable or remove lrzip from systems until patched

sudo apt remove lrzip
sudo yum remove lrzip

Restrict file processing

all

Implement input validation to reject suspicious archive files

🧯 If You Can't Patch

Implement strict access controls to limit who can execute lrzip
Deploy application sandboxing or containerization to limit potential damage

🔍 How to Verify

Check if Vulnerable:

Run: lrzip --version | grep -q '0.641' && echo 'VULNERABLE' || echo 'SAFE'

Check Version:

lrzip --version

Verify Fix Applied:

Run: lrzip --version | grep -q '0.64[2-9]\|0\.6[5-9]\|0\.[7-9]' && echo 'PATCHED' || echo 'STILL VULNERABLE'

📡 Detection & Monitoring

Log Indicators:

Application crashes with segmentation faults
Unexpected termination of lrzip processes
Memory allocation errors in system logs

Network Indicators:

Unusual archive file downloads to servers running lrzip
Multiple failed compression/decompression attempts

SIEM Query:

process_name='lrzip' AND (event_type='crash' OR exit_code=139)

📊 Metadata

CVE ID: CVE-2021-33453

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: July 26, 2022

Last Updated: November 21, 2024

🔗 References

https://gist.github.com/Clingto/bb632c0c463f4b2c97e4f65f751c5e6d Exploit,Third Party Advisory
https://github.com/ckolivas/lrzip/issues/199 Exploit,Issue Tracking,Third Party Advisory
https://gist.github.com/Clingto/bb632c0c463f4b2c97e4f65f751c5e6d Exploit,Third Party Advisory
https://github.com/ckolivas/lrzip/issues/199 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33453, you might also want to check these: