Researchers have uncovered two vulnerabilities in 7-Zip that leave various security devices and anti-virus products vulnerable to attack.
7-Zip is an open-source Windows utility that allows a user to manipulate archives for extremely high compression. The application provides support for large files and features optional AES-256 encryption, though users can employ “any compression, conversion or encryption method.”
The file archiver is also free, which has earned it much attention on both sides of the information security divide.
On the one hand, multiple vendors including FireEye, Malwarebytes, and Comodo have integrated 7-Zip’s libraries and components into their anti-virus products, as reported by Network World.
On the other hand, attackers have modified Nemucod, which was once just a Trojan downloader disguised as a ZIP file attachment, and made into a fully functional ransomware variant that uses 7-Zip’s software to encrypt victims’ files.
But users be warned. Cisco Talos recently discovered multiple vulnerabilities in 7-Zip that are more serious than regular security flaws. As explained in a blog post by Marcin Noga and Jaeson Schultz, two members of the Cisco Talos Security Intelligence & Research Group:
“These type of vulnerabilities are especially concerning since vendors may not be aware they are using the affected libraries. This can be of particular concern, for example, when it comes to security devices or antivirus products. 7-Zip is supported on all major platforms, and is one of the most popular archive utilities in-use today. Users may be surprised to discover just how many products and appliances are affected.”
Cisco Talos has identified two flaws in particular. The first (CVE-2016-2335) is an out-of-bounds read vulnerability that exists in the way 7-Zip handles Universal Disk Format (UDF) files. An attacker could potentially exploit this vulnerability to achieve arbitrary code execution.
The second flaw (CVE-2016-2334) is a heap overflow vulnerability that exists in the Archive::NHfs::CHandler::ExtractZlibFile method functionality of 7-Zip. The flaw pertains to how compressed files that exceed a certain size are stored in a resource fork and split into blocks. A failure to check into those block sizes can result in a malformed block size that will cause a buffer overflow and heap corruption.
As the researchers note in their post, both bugs originate from the same problem:
“Sadly, many security vulnerabilities arise from applications which fail to properly validate their input data. Both of these 7-Zip vulnerabilities resulted from flawed input validation. Because data can come from a potentially untrusted source, data input validation is of critical importance to all applications’ security.”
Users are urged to update all vulnerable version of 7-Zip to the latest revision, version 16.00, as soon as possible.
Let’s hope that security vendors (not computer criminals) whose products are affected by these flaws do the same.
Update: Thomas Reed of Malwarebytes tells us the product is not using a vulnerable version of 7-Zip.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
6 comments on “Anti-virus products, security devices affected by 7-Zip flaws”
Many thanks for the excellent write-up.
I have upgraded to version 16.
I honestly don't know why so many people are still using 7-Zip.
There are far better alternatives such as the excellent (and free) PeaZip which supports 180+ archive formats, has a more modern interface, works on multiple OS's and is frequently ipdated.
7-Zip updates by contrast are few and far between and it comes as no surprise that this vulnerability existed; I'm sure there are many more waiting to be discovered.
Alternatively for enterprise users (or those with a high-security need) there is PKWare's SecureZIP – naturally this isn't free.
PeaZip is a frontend application and uses open source software like 7-zip to read archives. I guess this makes it just as vulnerable as 7-zip itself.
Peter, it's a front-end for many compression formats but because of how the overflow vulnerability was coded PeaZip users were somewhat protected. It affected the compression library but some software reliant on it handled the error differently.
Fortunately PeaZip is updated regularly; I find around every 3-months.
I remember the 2015 release of 7-Zip. It took him FIVE YEARS to create the stable (non-Alpha/Beta) version. That's unacceptable. I appreciate he's a one-man-band but for companies you can't roll-out developmental software.
I like the 7-Zip format but other modern archives like PAQ are superior and PeaZip supports very many and had features like secure delete, different levels of encryption, password manager for the archives, ability to view the command log etc.
I had never heard of Peazip before. It looks really good, and I have replaced 7-zip with it. 7-zip 16 64-bit on Windows 10 kept asking me to put in the next volume for a multi-volume zip file, despite me not having any on my system! Thanks Bob!
Mark, PeaZip is very popular in the Linux world as it handles formats like TAR, ZIP, PAQ. 7Z etc. You can easily create a compatible archive for somebody on another OS from within the main interface. The plus side is that you don't need to fiddle around on the terminal to do a simple task.
I've never experienced the multi-volume issue you describe but, without having had chance to try, I would guess that you've inadvertently set the volumes to be stored on removal media hence the prompting.