CVE-2024-11563 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2024-11563?

CVE-2024-11563 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious DXF files in IrfanView. The flaw exists in DXF file parsing where improper bounds checking enables out-of-bounds reads that can lead to remote code execution. All IrfanView users who open untrusted DXF files are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious DXF files in IrfanView. The flaw exists in DXF file parsing where improper bounds checking enables out-of-bounds reads that can lead to remote code execution. All IrfanView users who open untrusted DXF files are affected.

💻 Affected Systems

Products:

IrfanView

Versions: Versions prior to 4.67

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All Windows versions running vulnerable IrfanView versions are affected. DXF file association with IrfanView increases risk.

📦 What is this software?

Irfanview by Irfanview

View all CVEs affecting Irfanview →

Irfanview by Irfanview

View all CVEs affecting Irfanview →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the affected system in the context of the current user.

🟠

Likely Case

Malicious code execution leading to data theft, ransomware deployment, or system compromise when users open crafted DXF files.

🟢

If Mitigated

Limited impact if users only open trusted files and have proper endpoint protection.

🌐 Internet-Facing: MEDIUM - Requires user interaction to open malicious files, but common in workflows involving image viewing.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or shared malicious files.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction to open malicious file. ZDI-CAN-24860 indicates professional vulnerability research.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: IrfanView 4.67 and later

Vendor Advisory: https://www.irfanview.com/main_history.htm

Restart Required: No

Instructions:

1. Download latest IrfanView from official website
2. Run installer
3. Follow installation prompts
4. Verify version is 4.67 or higher

🔧 Temporary Workarounds

Disable DXF file association

windows

Remove IrfanView as default handler for DXF files to prevent automatic opening

Control Panel > Default Programs > Set Default Programs > Select IrfanView > Choose defaults for this program > Uncheck .dxf

Block DXF files at perimeter

all

Filter or block DXF files at email gateways and web proxies

🧯 If You Can't Patch

Implement application whitelisting to block IrfanView execution
Use endpoint protection with memory protection and exploit mitigation

🔍 How to Verify

Check if Vulnerable:

Check IrfanView version via Help > About. Versions below 4.67 are vulnerable.

Check Version:

irfanview.exe /?

Verify Fix Applied:

Confirm version is 4.67 or higher in Help > About dialog.

📡 Detection & Monitoring

Log Indicators:

IrfanView crash logs with memory access violations
Windows Application logs showing IrfanView failures

Network Indicators:

DXF file downloads from untrusted sources
Email attachments with DXF files

SIEM Query:

source="windows" AND (process="irfanview.exe" AND (event_id=1000 OR event_id=1001))

📊 Metadata

CVE ID: CVE-2024-11563

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-125

Published: November 22, 2024

Last Updated: November 26, 2024

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-24-1576/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-11563, you might also want to check these: