CVE-2024-6818 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2024-6818?

CVE-2024-6818 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious PSP files in IrfanView. The flaw exists in PSP file parsing where improper input validation leads to an out-of-bounds write. Users of vulnerable IrfanView versions are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious PSP files in IrfanView. The flaw exists in PSP file parsing where improper input validation leads to an out-of-bounds write. Users of vulnerable IrfanView versions are affected.

💻 Affected Systems

Products:

IrfanView

Versions: Versions prior to 4.67

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All Windows versions running vulnerable IrfanView versions are affected. User interaction required (opening malicious file).

📦 What is this software?

Irfanview by Irfanview

View all CVEs affecting Irfanview →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining the same privileges as the user running IrfanView, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Local privilege escalation leading to user account compromise, data exfiltration, and lateral movement within the network.

🟢

If Mitigated

Limited impact with code execution contained within IrfanView process boundaries, potentially causing application crash but no system-wide compromise.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction but is technically straightforward once malicious PSP file is crafted. ZDI has confirmed the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: IrfanView 4.67 and later

Vendor Advisory: https://www.irfanview.com/main_history.htm

Restart Required: No

Instructions:

1. Download latest IrfanView from official website
2. Run installer
3. Follow installation prompts
4. Verify version is 4.67 or higher

🔧 Temporary Workarounds

Disable PSP file association

windows

Remove IrfanView as default handler for PSP files to prevent automatic opening

Control Panel > Default Programs > Set Associations > Find .psp > Change to another program or 'Look for an app in the Store'

Block PSP files at perimeter

all

Prevent PSP files from entering the network via email or web downloads

🧯 If You Can't Patch

Implement application whitelisting to block IrfanView execution
Use endpoint protection with exploit prevention capabilities

🔍 How to Verify

Check if Vulnerable:

Check IrfanView version via Help > About. If version is below 4.67, system is vulnerable.

Check Version:

irfanview.exe /?

Verify Fix Applied:

Verify IrfanView version is 4.67 or higher in Help > About dialog.

📡 Detection & Monitoring

Log Indicators:

IrfanView crash logs with memory access violations
Windows Application Event Logs with Faulting Module: IrfanView

Network Indicators:

Unusual outbound connections from IrfanView process
PSP file downloads from untrusted sources

SIEM Query:

process_name:"i_view32.exe" OR process_name:"i_view64.exe" AND (event_id:1000 OR event_id:1001) AND faulting_module:"i_view*.exe"

📊 Metadata

CVE ID: CVE-2024-6818

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: November 22, 2024

Last Updated: November 29, 2024

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-24-970/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6818, you might also want to check these: