CVE-2024-11565
📋 TL;DR
This vulnerability in IrfanView allows remote attackers to execute arbitrary code by tricking users into opening malicious CGM files. The flaw exists in how IrfanView processes CGM files without proper bounds checking, enabling out-of-bounds reads that can lead to remote code execution. All users running vulnerable versions of IrfanView are affected.
💻 Affected Systems
- IrfanView
📦 What is this software?
Irfanview by Irfanview
Irfanview by Irfanview
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the affected system, data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local privilege escalation leading to malware installation, data exfiltration, or persistence mechanisms being established on the compromised system.
If Mitigated
Application crash or denial of service if exploit attempts are blocked by security controls, with no code execution achieved.
🎯 Exploit Status
Exploitation requires user interaction but is technically straightforward once a malicious CGM file is crafted. The ZDI advisory suggests active exploitation is likely.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: IrfanView 4.67 or later
Vendor Advisory: https://www.irfanview.com/main_history.htm
Restart Required: No
Instructions:
1. Download IrfanView 4.67 or later from the official website
2. Run the installer and follow the installation prompts
3. Replace any existing vulnerable versions
🔧 Temporary Workarounds
Disable CGM file association
windowsRemove IrfanView as the default handler for CGM files to prevent automatic opening
Control Panel > Default Programs > Set Default Programs > Select IrfanView > Choose defaults for this program > Uncheck .cgm
Block CGM files at perimeter
allConfigure email/web gateways to block .cgm file attachments and downloads
🧯 If You Can't Patch
- Implement application whitelisting to prevent IrfanView execution
- Use endpoint detection and response (EDR) to monitor for suspicious IrfanView process behavior
🔍 How to Verify
Check if Vulnerable:
Check IrfanView version via Help > About. Versions below 4.67 are vulnerable.Check Version:
irfanview.exe /?Verify Fix Applied:
Confirm IrfanView version is 4.67 or higher in Help > About dialog.📡 Detection & Monitoring
Log Indicators:
- IrfanView process crashes with memory access violations
- Unexpected IrfanView processes spawning child processes
- IrfanView accessing unusual network resources
Network Indicators:
- Downloads of .cgm files from untrusted sources
- Outbound connections from IrfanView process to suspicious IPs
SIEM Query:
process_name:"i_view32.exe" OR process_name:"i_view64.exe" AND (event_id:1000 OR parent_process NOT IN ("explorer.exe", "cmd.exe"))