CVE-2023-52168 & CVE-2023-52169 in 7-Zip Uncovered and Addressed: What You Need to Know

In the realm of open-source software, vulnerabilities are an inevitable reality. However, the recent disclosure of two security flaws in the widely used 7-Zip compression tool has raised eyebrows due to the lack of official acknowledgment from the developer.

Security researcher Maxim Suhanov (@msuhanov) discovered and responsibly reported the vulnerabilities, identified as CVE-2023-52168 (buffer overflow) and CVE-2023-52169 (out-of-bounds read), in August 2023. These flaws could potentially allow attackers to overwrite sensitive data or leak confidential information from servers where 7-Zip is deployed.

• CVE-2023-52168: Buffer Overflow Vulnerability

The first vulnerability, CVE-2023-52168, involves a heap-based buffer overflow in the NtfsHandler.cpp NTFS handler in 7-Zip versions prior to 24.01 (for 7zz). This flaw allows attackers to overwrite two bytes at multiple offsets beyond the allocated buffer size. Specifically, an attacker can manipulate offsets such as buffer+512*i-2, for i=9, i=10, i=11, and so forth. The implications of this vulnerability are severe, as it provides a pathway for malicious actors to execute arbitrary code or cause a denial of service.

• CVE-2023-52169: Excessive Buffer Reading Vulnerability

The second vulnerability, CVE-2023-52169, pertains to an out-of-bounds read issue in the same NtfsHandler.cpp NTFS handler. This vulnerability allows attackers to read beyond the intended buffer, with the extraneous bytes being presented as part of a filename listed in the file system image. This flaw is particularly relevant in scenarios where untrusted users can upload files to web services, and these files are subsequently extracted by a server-side 7-Zip process. Such an exploit could lead to the leakage of sensitive information, posing a significant risk in environments where 7-Zip is used for server-side operations.

For individual users, these vulnerabilities might seem less alarming, potentially allowing an attacker to process multiple untrusted documents within a single process. However, the real threat emerges when 7-Zip is deployed on servers. In such contexts, attackers could leverage these vulnerabilities to exfiltrate vast amounts of data from remote servers, leading to substantial data breaches. For instance, server-side tasks like online decompression or file previews executed by 7-Zip could become vectors for exploitation.

The responsible disclosure of these vulnerabilities to developer Igor Pavlov was conducted by the researcher. Surprisingly, the recent update logs did not mention any related fixes. However, detailed analysis confirms that the 7-Zip 24.01 beta version, released on January 31, 2024, effectively addressed these issues. Subsequent versions, including the latest 24.07, have also resolved these vulnerabilities.

One of the most contentious aspects of this security episode is the lack of transparency from the 7-Zip development team. The absence of any mention of the vulnerabilities in update logs or security announcements has sparked concern among users and the open-source community. Without the researcher’s blog post, the existence of these vulnerabilities might have remained obscure, potentially leaving many systems at risk.