CVE-2024-11477
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on systems running vulnerable versions of 7-Zip when processing malicious Zstandard-compressed files. The integer underflow during decompression can lead to memory corruption and code execution. Any application or system using 7-Zip's Zstandard decompression functionality is potentially affected.
💻 Affected Systems
- 7-Zip
📦 What is this software?
7 Zip by 7 Zip
⚠️ Risk & Real-World Impact
Worst Case
Full remote code execution with the privileges of the process using 7-Zip's decompression library, potentially leading to complete system compromise.
Likely Case
Remote code execution when processing malicious archives from untrusted sources, leading to data theft, ransomware deployment, or lateral movement.
If Mitigated
Denial of service or application crash if memory corruption doesn't lead to successful code execution.
🎯 Exploit Status
Exploitation requires the victim to process a malicious Zstandard-compressed file. Attack vectors could include email attachments, downloaded archives, or web uploads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 24.09 and later
Vendor Advisory: https://www.7-zip.org/history.txt
Restart Required: No
Instructions:
1. Download 7-Zip 24.09 or later from the official website. 2. Uninstall the current version. 3. Install the updated version. 4. Verify the installation by checking the version number.
🔧 Temporary Workarounds
Disable Zstandard decompression
allRemove or disable Zstandard decompression support in 7-Zip configuration
Use alternative archive tools
allTemporarily use alternative archive software that doesn't have this vulnerability
🧯 If You Can't Patch
- Implement strict file upload validation to block Zstandard-compressed files
- Deploy application allowlisting to prevent execution of 7-Zip from untrusted locations
🔍 How to Verify
Check if Vulnerable:
Check 7-Zip version: 7z.exe --version (Windows) or 7z --version (Linux/macOS). If version is earlier than 24.09, the system is vulnerable.Check Version:
7z --versionVerify Fix Applied:
After updating, run the version check command again and confirm version is 24.09 or later.📡 Detection & Monitoring
Log Indicators:
- Application crashes of 7-Zip or processes using its library
- Unusual process creation following 7-Zip execution
- Failed decompression attempts with Zstandard files
Network Indicators:
- Downloads of Zstandard-compressed files from suspicious sources
- Network traffic patterns indicating archive processing followed by unexpected outbound connections
SIEM Query:
Process creation where parent process is 7z.exe or contains '7z' in command line, followed by suspicious child processes