Microsoft introduced a major update to Windows 11 (KB5031455), adding native support for 11 new compression formats, including RAR and 7z.
This update aimed to enhance user convenience by enabling file management directly within File Explorer.
However, the integration of these formats via the open-source libarchive library has raised significant security concerns, exposing users to potential vulnerabilities.
Libarchive is a widely used open-source library for handling various archive formats. It is deployed across multiple operating systems, including Linux, BSD, and macOS, and is integral to projects like ClickHouse, Homebrew, and Osquery.
Despite its robust reputation and continuous fuzzing by Google’s OSS-Fuzz project, recent analysis has revealed critical gaps in its security coverage.
Identified Vulnerabilities
Microsoft’s Offensive Research & Security Engineering (MORSE) team disclosed two remote code execution (RCE) vulnerabilities in January 2024—CVE-2024-20696 and CVE-2024-20697.
These issues stem from improper bounds checking in libarchive’s RAR decompression functions.
CVE-2024-20696: A remote code execution (RCE) vulnerability affecting the libarchive library integrated into Microsoft Windows.
The vulnerability arises from improper handling of decompressed data lengths during RAR file extraction, allowing attackers to execute arbitrary code on affected systems.
The vulnerability resides in the copy_from_lzss_window_to_unp function within libarchive’s RAR decompression implementation.
CVE-2024-20697: A similar out-of-bounds write vulnerability occurred in the execute_filter_e8 function when processing specific RAR filters.
Additionally, researchers identified a heap buffer overflow in RAR decompression and arbitrary file write/delete vulnerabilities caused by insufficient path sanitization on Windows.
These flaws could allow attackers to manipulate archive contents to overwrite or delete files on a user’s system.
The “Half-Day” Threat
Devcore researchers report that a major issue arises from delays in merging Microsoft’s patches for libarchive into its upstream repository.
For instance, vulnerabilities patched in Windows in January were not addressed in libarchive until May 2024.
This lag creates a “half-day” vulnerability window where attackers can exploit unpatched versions of libarchive used by other projects.
This delay was highlighted when researchers demonstrated how vulnerabilities in ClickHouse—a database system using libarchive—remained exploitable due to the lack of upstream fixes.
Exploiting these flaws required crafting malicious archive files that triggered vulnerabilities during decompression.
The update significantly increased Windows’ attack surface by enabling support for over 917 billion file format combinations through libarchive’s archive_read_support_format_all and archive_read_support_filter_all functions.
While this enhances functionality, it also introduces risks associated with parsing complex or malformed archives.For example:
Path Traversal Risks: Insufficient input sanitization allowed attackers to craft archives with malicious paths (e.g., ..\poc.txt) that could escape intended directories.
File Format Confusion: Libarchive’s automatic format detection sometimes misidentified archive types, leading to unexpected behavior.
Mitigation Challenges
Despite Microsoft’s efforts to patch vulnerabilities in its forked version of libarchive (archiveint.dll), the open-source nature of libarchive complicates mitigation.
Developers relying on libarchive may remain unaware of security patches unless explicitly notified. Furthermore, libarchive’s reliance on external binaries for certain decompression tasks introduces additional risks.
For instance, missing libraries could cause libarchive to execute external commands during extraction, potentially enabling remote code execution.
Windows 11’s adoption of libarchive highlights the trade-off between convenience and security. While native support for additional compression formats improves usability, it also exposes users to new attack vectors.
To mitigate risks, users should exercise caution when handling archives from untrusted sources. The integration of open-source components like libarchive underscores the importance of collaborative security practices across ecosystems. As vulnerabilities persist, proactive measures are essential to safeguard users from emerging threats.
PCI DSS 4.0 & Supply Chain Attack Prevention – Free Webinar
