Researchers have uncovered two vulnerabilities in 7-Zip that leave various security devices and anti-virus products vulnerable to attack.
7-Zip is an open-source Windows utility that allows a user to manipulate archives for extremely high compression. The application provides support for large files and features optional AES-256 encryption, though users can employ “any compression, conversion or encryption method.”
The file archiver is also free, which has earned it much attention on both sides of the information security divide.
On the one hand, multiple vendors including FireEye, Malwarebytes, and Comodo have integrated 7-Zip’s libraries and components into their anti-virus products, as reported by Network World.
On the other hand, attackers have modified Nemucod, which was once just a Trojan downloader disguised as a ZIP file attachment, and made into a fully functional ransomware variant that uses 7-Zip’s software to encrypt victims’ files.
But users be warned. Cisco Talos recently discovered multiple vulnerabilities in 7-Zip that are more serious than regular security flaws. As explained in a blog post by Marcin Noga and Jaeson Schultz, two members of the Cisco Talos Security Intelligence & Research Group:
“These type of vulnerabilities are especially concerning since vendors may not be aware they are using the affected libraries. This can be of particular concern, for example, when it comes to security devices or antivirus products. 7-Zip is supported on all major platforms, and is one of the most popular archive utilities in-use today. Users may be surprised to discover just how many products and appliances are affected.”
Cisco Talos has identified two flaws in particular. The first (CVE-2016-2335) is an out-of-bounds read vulnerability that exists in the way 7-Zip handles Universal Disk Format (UDF) files. An attacker could potentially exploit this vulnerability to achieve arbitrary code execution.
The second flaw (CVE-2016-2334) is a heap overflow vulnerability that exists in the Archive::NHfs::CHandler::ExtractZlibFile method functionality of 7-Zip. The flaw pertains to how compressed files that exceed a certain size are stored in a resource fork and split into blocks. A failure to check into those block sizes can result in a malformed block size that will cause a buffer overflow and heap corruption.
As the researchers note in their post, both bugs originate from the same problem:
“Sadly, many security vulnerabilities arise from applications which fail to properly validate their input data. Both of these 7-Zip vulnerabilities resulted from flawed input validation. Because data can come from a potentially untrusted source, data input validation is of critical importance to all applications’ security.”
Users are urged to update all vulnerable version of 7-Zip to the latest revision, version 16.00, as soon as possible.
Let’s hope that security vendors (not computer criminals) whose products are affected by these flaws do the same.
Update: Thomas Reed of Malwarebytes tells us the product is not using a vulnerable version of 7-Zip.