CVE-2024-11543 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2024-11543?

CVE-2024-11543 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious DXF files in IrfanView. Attackers can gain control of the affected system with the same privileges as the current user. All IrfanView users who process DXF files are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious DXF files in IrfanView. Attackers can gain control of the affected system with the same privileges as the current user. All IrfanView users who process DXF files are affected.

💻 Affected Systems

Products:

IrfanView

Versions: Versions prior to 4.67

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All Windows versions where IrfanView is installed and DXF file association exists are vulnerable by default.

📦 What is this software?

Irfanview by Irfanview

View all CVEs affecting Irfanview →

Irfanview by Irfanview

View all CVEs affecting Irfanview →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the victim's machine, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Local privilege escalation leading to malware installation, data exfiltration, or persistence mechanisms being established on the compromised system.

🟢

If Mitigated

Limited impact due to application sandboxing, limited user privileges, or network segmentation preventing lateral movement.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction (opening malicious file) but the vulnerability itself is unauthenticated. Memory corruption vulnerabilities in popular software are frequently weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: IrfanView 4.67 and later

Vendor Advisory: https://www.irfanview.com/

Restart Required: No

Instructions:

1. Download latest IrfanView from official website 2. Run installer 3. Follow installation prompts 4. Verify version is 4.67 or higher

🔧 Temporary Workarounds

Disable DXF file association

windows

Remove IrfanView as default handler for DXF files to prevent automatic exploitation

Control Panel > Default Programs > Set Default Programs > Select IrfanView > Choose defaults for this program > Uncheck .dxf

Block DXF files at perimeter

all

Prevent DXF files from entering the network via email or web downloads

🧯 If You Can't Patch

Implement application whitelisting to prevent IrfanView execution
Use endpoint protection with memory corruption detection capabilities

🔍 How to Verify

Check if Vulnerable:

Open IrfanView > Help > About > Check version number is below 4.67

Check Version:

irfanview.exe /?

Verify Fix Applied:

Open IrfanView > Help > About > Confirm version is 4.67 or higher

📡 Detection & Monitoring

Log Indicators:

IrfanView process crashes with DXF files
Unusual child processes spawned from IrfanView
Memory access violations in application logs

Network Indicators:

Downloads of DXF files from untrusted sources
Outbound connections from IrfanView process

SIEM Query:

process_name:"i_view64.exe" OR process_name:"i_view32.exe" AND (file_extension:".dxf" OR parent_process_crash:true)

📊 Metadata

CVE ID: CVE-2024-11543

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-119

Published: November 22, 2024

Last Updated: November 25, 2024

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-24-1548/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-11543, you might also want to check these: