CVE-2023-52168
📋 TL;DR
A heap-based buffer overflow vulnerability in 7-Zip's NTFS handler allows attackers to write two bytes beyond allocated buffer boundaries when processing malicious archives. This affects users of 7-Zip versions before 24.01 who extract untrusted NTFS-compressed archives.
💻 Affected Systems
- 7-Zip (7zz command-line tool)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Arbitrary code execution leading to full system compromise, data theft, or ransomware deployment.
Likely Case
Application crash (denial of service) or limited memory corruption potentially leading to information disclosure.
If Mitigated
No impact if proper controls prevent processing untrusted archives or if patched version is used.
🎯 Exploit Status
Proof-of-concept details are publicly available in security advisories. Exploitation requires crafting a malicious NTFS archive.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 24.01 and later
Vendor Advisory: https://sourceforge.net/p/sevenzip/bugs/2402/
Restart Required: No
Instructions:
1. Download 7-Zip 24.01 or later from official website. 2. Uninstall old version. 3. Install new version. 4. Verify version with '7zz' command.
🔧 Temporary Workarounds
Disable NTFS handler usage
allAvoid processing NTFS-compressed archives with vulnerable versions
# No direct command - avoid using 7zz on .ntfs or NTFS-compressed files
Use alternative extraction tools
allExtract archives using patched versions or different software
🧯 If You Can't Patch
- Restrict 7-Zip usage to trusted administrators only
- Implement application whitelisting to block 7zz execution
🔍 How to Verify
Check if Vulnerable:
Run '7zz' command and check version output. If version is below 24.01, system is vulnerable.Check Version:
7zz | grep -i version # Linux/macOS
7zz # Windows (version appears in output)Verify Fix Applied:
Run '7zz' command and confirm version is 24.01 or higher.📡 Detection & Monitoring
Log Indicators:
- Application crashes of 7zz process
- Memory access violation errors in system logs
Network Indicators:
- Unusual archive downloads followed by 7zz execution
SIEM Query:
Process creation where image='7zz.exe' AND parent process NOT IN (trusted_process_list)🔗 References
- http://www.openwall.com/lists/oss-security/2024/07/03/10
- https://dfir.ru/2024/06/19/vulnerabilities-in-7-zip-and-ntfs3/
- https://sourceforge.net/p/sevenzip/bugs/2402/
- https://www.openwall.com/lists/oss-security/2024/07/03/10
- http://www.openwall.com/lists/oss-security/2024/07/03/10
- https://dfir.ru/2024/06/19/vulnerabilities-in-7-zip-and-ntfs3/
- https://security.netapp.com/advisory/ntap-20241122-0011/
- https://sourceforge.net/p/sevenzip/bugs/2402/
- https://www.openwall.com/lists/oss-security/2024/07/03/10
