CVE-2024-11573 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2024-11573?

CVE-2024-11573 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious DXF files in IrfanView. Attackers can gain full control of affected systems through memory corruption during DXF file parsing. All users of vulnerable IrfanView versions are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious DXF files in IrfanView. Attackers can gain full control of affected systems through memory corruption during DXF file parsing. All users of vulnerable IrfanView versions are affected.

💻 Affected Systems

Products:

IrfanView

Versions: Versions prior to 4.67

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All Windows versions running vulnerable IrfanView are affected. DXF file association with IrfanView increases risk.

📦 What is this software?

Irfanview by Irfanview

View all CVEs affecting Irfanview →

Irfanview by Irfanview

View all CVEs affecting Irfanview →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining the same privileges as the logged-in user, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Malware installation or data exfiltration when users open malicious DXF files from untrusted sources.

🟢

If Mitigated

Limited impact with proper application sandboxing and user awareness training preventing file execution.

🌐 Internet-Facing: MEDIUM - Requires user interaction to open malicious files, but common in workflows involving image viewing.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or compromised internal resources.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction but is straightforward once malicious DXF file is opened. ZDI has confirmed the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: IrfanView 4.67 and later

Vendor Advisory: https://www.irfanview.com/main_history.htm

Restart Required: No

Instructions:

1. Download latest IrfanView from official website. 2. Run installer. 3. Follow installation prompts. 4. Verify version is 4.67 or higher.

🔧 Temporary Workarounds

Disable DXF file association

windows

Remove IrfanView as default handler for DXF files to prevent automatic opening.

Control Panel > Default Programs > Set Associations > Find .dxf > Change program

Application sandboxing

windows

Run IrfanView in restricted environment to limit impact of exploitation.

🧯 If You Can't Patch

Implement application allowlisting to block IrfanView execution
Deploy email/web filtering to block DXF attachments and downloads

🔍 How to Verify

Check if Vulnerable:

Open IrfanView > Help > About, check if version is below 4.67

Check Version:

irfanview.exe /?

Verify Fix Applied:

Confirm IrfanView version is 4.67 or higher in About dialog

📡 Detection & Monitoring

Log Indicators:

IrfanView process crashes when opening DXF files
Unusual child processes spawned from IrfanView

Network Indicators:

Outbound connections from IrfanView process to unknown IPs

SIEM Query:

process_name:"i_view32.exe" OR process_name:"i_view64.exe" AND (event_id:1000 OR parent_process contains unusual)

📊 Metadata

CVE ID: CVE-2024-11573

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-119

Published: November 22, 2024

Last Updated: November 25, 2024

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-24-1565/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-11573, you might also want to check these: