CVE-2024-20696
📋 TL;DR
CVE-2024-20696 is a heap-based buffer overflow vulnerability in Windows libarchive that allows remote attackers to execute arbitrary code by tricking users into opening specially crafted archive files. This affects Windows systems using libarchive for archive processing. Attackers could gain SYSTEM-level privileges on vulnerable systems.
💻 Affected Systems
- Windows libarchive
📦 What is this software?
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with SYSTEM privileges leading to complete system compromise, data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Attackers trick users into opening malicious archive files via email or web downloads, leading to malware installation and lateral movement within networks.
If Mitigated
Limited impact with proper user education, application whitelisting, and network segmentation preventing successful exploitation.
🎯 Exploit Status
Proof-of-concept code is publicly available on GitHub. Exploitation requires user interaction to open a malicious archive file. The vulnerability is in libarchive's parsing logic for archive headers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: January 2024 security updates (KB5034123 for Windows 10, KB5034127 for Windows 11, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20696
Restart Required: Yes
Instructions:
1. Apply January 2024 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS or Microsoft Endpoint Configuration Manager. 3. Restart systems after update installation.
🔧 Temporary Workarounds
Disable archive preview/handling
windowsDisable Windows built-in archive handling to prevent automatic processing of malicious files
reg add "HKLM\SOFTWARE\Classes\SystemFileAssociations\.zip\Shell\Open\Command" /ve /d "" /f
reg add "HKLM\SOFTWARE\Classes\SystemFileAssociations\.tar\Shell\Open\Command" /ve /d "" /f
Use third-party archive tools
windowsConfigure systems to use third-party archive utilities (like 7-Zip) that don't use vulnerable libarchive versions
🧯 If You Can't Patch
- Implement application control/whitelisting to prevent execution of unauthorized programs
- Educate users about risks of opening archive files from untrusted sources and implement email filtering for malicious attachments
🔍 How to Verify
Check if Vulnerable:
Check if January 2024 security updates are installed via 'systeminfo' command or Windows Update historyCheck Version:
wmic qfe list | findstr KB5034123 (or appropriate KB number for your OS)Verify Fix Applied:
Verify KB5034123 (Windows 10) or KB5034127 (Windows 11) is installed in Windows Update history📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing unexpected archive extraction processes
- Security logs with process creation events from archive utilities
Network Indicators:
- Unusual outbound connections from systems after archive file access
- Archive files downloaded from suspicious sources
SIEM Query:
Process Creation where (Image contains 'expand.exe' OR Image contains 'tar.exe') AND CommandLine contains suspicious archive extensions🔗 References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20696
- https://clearbluejar.github.io/posts/patch-tuesday-diffing-cve-2024-20696-windows-libarchive-rce/
- https://github.com/clearbluejar/CVE-2024-20696
- https://lists.debian.org/debian-lts-announce/2024/11/msg00007.html
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20696
