CVE-2024-20697
published 2024-01-09CVE-2024-20697: Windows libarchive Remote Code Execution Vulnerability
PriorityP358high7.3CVSS 3.1
AVLACLPRLUIRSUCHIHAH
EPSS
72.16%
99.4th percentile
Windows libarchive Remote Code Execution Vulnerability
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_11_22h2 | < 10.0.22621.3007 | 10.0.22621.3007 |
| microsoft | windows_11_23h2 | < 10.0.22631.3007 | 10.0.22631.3007 |
| microsoft | windows_11_version_22h2 | >= 10.0.22621.0 < 10.0.22621.3007 | 10.0.22621.3007 |
| microsoft | windows_11_version_22h3 | >= 10.0.22631.0 < 10.0.22631.3007 | 10.0.22631.3007 |
| microsoft | windows_11_version_23h2 | >= 10.0.22631.0 < 10.0.22631.3007 | 10.0.22631.3007 |
| msrc | windows_11_version_22h2_for_arm64-based_systems | — | — |
| msrc | windows_11_version_22h2_for_x64-based_systems | — | — |
| msrc | windows_11_version_23h2_for_arm64-based_systems | — | — |
| msrc | windows_11_version_23h2_for_x64-based_systems | — | — |
| msrc | windows_server_2022_23h2_edition | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
0x52 0x61 0x72 0x21 0x1A 0x07 0x00
- →Monitor and parse traffic on FTP, HTTP, SMTP, IMAP, SMB, and POP3 for RAR archive transfers; identify RAR files by the magic byte signature 0x52 0x61 0x72 0x21 0x1A 0x07 0x00 at the start of the file. ↗
- →Within a RAR4 (UnpVer=29) archive, parse RARVM filter structures and flag any filter whose computed fingerprint equals 0x35AD576887 or 0x393CD7E57E AND whose 5th register (initialregisters[4]) is set to 4, as this triggers the integer overflow in execute_filter_e8(). ↗
- →Focus detection on RAR archives using format version 2.9/RAR4 (FileHeader UnpVer field = 29) with compressed data (Method field != 0x30/Store), as the vulnerable code path is only reachable for this version. ↗
- →The vulnerable function is execute_filter_e8() in libarchive/archive_read_support_format_rar.c; a heap-based buffer overflow occurs when the loop exit condition overflows to 0xFFFFFFFF, causing out-of-bounds access beyond the 0x40004-byte VM memory buffer. ↗
- →The upstream fix for this vulnerability is tracked as CVE-2024-26256 and is available via the libarchive pull request at https://github.com/libarchive/libarchive/pull/2135; use this to verify patched vs. unpatched library versions. ↗
- ·The RAR4 format has no official documentation; all field names and structure descriptions are derived from UnRAR and libarchive source code, so detection logic must be validated against those implementations. ↗
- ·The CVE-2024-20697 identifier tracks this issue specifically in Windows systems; the upstream libarchive issue is separately tracked as CVE-2024-26256. Red Hat Enterprise Linux packages are assessed as not affected. ↗
- ·Despite the 'Remote Code Execution' title, the CVSS attack vector is Local (AV:L); exploitation requires user interaction (UI:R) — a victim must open a malicious RAR archive — and the attacker needs at minimum guest privileges (PR:L). ↗
CVSS provenance
nvdv3.17.3HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
vendor_msrc7.3HIGH
vendor_redhat7.3HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
libarchive: Heap based buffer overflow in rar e8 filter
vendor_redhat·2024-01-09·CVSS 7.3
CVE-2024-20697 [HIGH] CWE-122 libarchive: Heap based buffer overflow in rar e8 filter
libarchive: Heap based buffer overflow in rar e8 filter
Windows libarchive Remote Code Execution Vulnerability
A flaw was found in the libarchive library. A heap-based buffer overflow in the execute_filter_e8 function in the libarchive/archive_read_support_format_rar.c file can be triggered when a specially crafted RAR archive is processed, causing a crash to the application linked to the library and resulting in a denial of service.
Statement: The CVE-2024-20697 was assigned to track this issue in Windows systems and the CVE-2024-26256 was assigned to track the issue in libarchive upstream. See the CVE-2024-26256 page for more information about this issue at https://access.redhat.com/security/cve/CVE-2024-26256.
Package: libarchive (Red Hat Enterprise Linux 10) - Not affected
Package
Microsoft
Windows libarchive Remote Code Execution Vulnerability
vendor_msrc·2024-01-09·CVSS 7.3
CVE-2024-20697 [HIGH] CWE-122 Windows libarchive Remote Code Execution Vulnerability
Windows libarchive Remote Code Execution Vulnerability
FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?
The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.
FAQ: According to the CVSS metric, user interaction is required (UI:R) and privileges required is Low (PR:L). What does that mean for this vulnerability?
An authorized attacker with guest privileges must send a victim a malicious site and convince them to open it.
Windows Libarchive: Windows Libarchiv
GHSA
GHSA-w6xv-37jv-7cjr: Windows Libarchive Remote Code Execution Vulnerability
ghsa_unreviewed·2024-01-09
CVE-2024-20697 [HIGH] CWE-122 GHSA-w6xv-37jv-7cjr: Windows Libarchive Remote Code Execution Vulnerability
Windows Libarchive Remote Code Execution Vulnerability
No detection rules found.
No public exploits indexed.
Checkpoint
22nd April – Threat Intelligence Report
blogs_checkpoint·2024-04-22
CVE-2024-24996 22nd April – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## 22nd April – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 22nd April, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHE
Trendmicro
CVE-2024-20697: Windows Libarchive Remote Code Execution Vulnerability
blogs_trendmicro·2024-04-17·CVSS 7.3
CVE-2024-20697 [HIGH] CVE-2024-20697: Windows Libarchive Remote Code Execution Vulnerability
## CVE-2024-20697: Windows Libarchive Remote Code Execution Vulnerability
Learn about cve-2024-2069 Windows Libarchive remote code execution vulnerability.
By: Trend Micro Research 2024/04/17 Read time: ( words)
Save to Folio
In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Guy Lederfein and Jason McFadyen of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in Microsoft Windows. This bug was originally discovered by the Microsoft Offensive Research & Security Engineering team. Successful exploitation could result in arbitrary code execution in the context of the application using the vulnerable library. The following is a portion of their write-up covering CVE-2024-20697, with a few minimal modifications.
Trendmicro
CVE-2024-20697: Windows Libarchive Remote Code Execution Vulnerability
blogs_trendmicro·2024-04-17·CVSS 7.3
CVE-2024-20697 [HIGH] CVE-2024-20697: Windows Libarchive Remote Code Execution Vulnerability
# CVE-2024-20697: Windows Libarchive Remote Code Execution Vulnerability
Learn about cve-2024-2069 Windows Libarchive remote code execution vulnerability.
By: Trend Micro Research
2024/04/17
Read time: ( words)
Save to Folio
In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Guy Lederfein and Jason McFadyen of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in Microsoft Windows. This bug was originally discovered by the Microsoft Offensive Research & Security Engineering team. Successful exploitation could result in arbitrary code execution in the context of the application using the vulnerable library. The following is a portion of their write-up covering CVE-2024-20697, with a few minimal modifications.
Trendmicro
The January 2024 Security Update Review
blogs_trendmicro·2024-01-09·CVSS 8.8
[HIGH] The January 2024 Security Update Review
# The January 2024 Security Update Review
Get the January 2024 security update and review.
By: Dustin Childs
2024/01/09
Read time: ( words)
Save to Folio
Welcome to the first patch Tuesday of 2024. As expected, Microsoft and Adobe have released their latest security patches. Take a break from your other activities and join us as we review the details of their latest advisories. If you’d rather watch the video recap, you can check it out here:
Adobe Patches for January 2024
For January, Adobe released a single patch addressing six CVEs in Substance 3D Stager. All six bugs are rated Important with the most severe allowing arbitrary code execution.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes t
Trendmicro
The January 2024 Security Update Review
blogs_trendmicro·2024-01-09·CVSS 9.1
[CRITICAL] The January 2024 Security Update Review
## The January 2024 Security Update Review
Get the January 2024 security update and review.
By: Dustin Childs Jan 09, 2024 Read time: ( words)
Save to Folio
Welcome to the first patch Tuesday of 2024. As expected, Microsoft and Adobe have released their latest security patches. Take a break from your other activities and join us as we review the details of their latest advisories. If you’d rather watch the video recap, you can check it out here:
CVE
Title
Severity
CVSS
Public
Exploited
Type
CVE-2024-20700
Windows Hyper-V Remote Code Execution Vulnerability
Critical
7.5
No
No
RCE
CVE-2024-20674
Windows Kerberos Security Feature Bypass Vulnerability
Critical
9
No
No
SFB
CVE-2024-0057
.NET and Visual Studio Framework Security Feature Bypass Vulnerability
Important
Trendmicro
The January 2024 Security Update Review
blogs_trendmicro·2024-01-09·CVSS 9.1
[CRITICAL] The January 2024 Security Update Review
## The January 2024 Security Update Review
Get the January 2024 security update and review.
By: Dustin Childs 2024/01/09 Read time: ( words)
Save to Folio
Welcome to the first patch Tuesday of 2024. As expected, Microsoft and Adobe have released their latest security patches. Take a break from your other activities and join us as we review the details of their latest advisories. If you’d rather watch the video recap, you can check it out here:
CVE
Title
Severity
CVSS
Public
Exploited
Type
CVE-2024-20700
Windows Hyper-V Remote Code Execution Vulnerability
Critical
7.5
No
No
RCE
CVE-2024-20674
Windows Kerberos Security Feature Bypass Vulnerability
Critical
9
No
No
SFB
CVE-2024-0057
.NET and Visual Studio Framework Security Feature Bypass Vulnerability
Important
8
Bleepingcomputer
Microsoft January 2024 Patch Tuesday fixes 49 flaws, 12 RCE bugs
blogs_bleepingcomputer·2024-01-09·CVSS 8.8
[HIGH] Microsoft January 2024 Patch Tuesday fixes 49 flaws, 12 RCE bugs
## Microsoft January 2024 Patch Tuesday fixes 49 flaws, 12 RCE bugs
## Lawrence Abrams
10 Elevation of Privilege Vulnerabilities
7 Security Feature Bypass Vulnerabilities
12 Remote Code Execution Vulnerabilities
11 Information Disclosure Vulnerabilities
6 Denial of Service Vulnerabilities
3 Spoofing Vulnerabilities
The total count of 49 flaws does not include 4 Microsoft Edge flaws fixed on January 5th.
To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5034123 cumulative update and Windows 10 KB5034122 update .
## This month's interesting flaws
While there were no actively exploited or publicly disclosed vulnerabilities this month, some flaws are more interesting than others.
Microsoft fixes an Office Remo
Trendmicro
The January 2024 Security Update Review
blogs_trendmicro·2024-01-09·CVSS 9.1
[CRITICAL] The January 2024 Security Update Review
## The January 2024 Security Update Review
Get the January 2024 security update and review.
By: Dustin Childs Jan 09, 2024 Read time: ( words)
Save to Folio
Welcome to the first patch Tuesday of 2024. As expected, Microsoft and Adobe have released their latest security patches. Take a break from your other activities and join us as we review the details of their latest advisories. If you’d rather watch the video recap, you can check it out here:
CVE
Title
Severity
CVSS
Public
Exploited
Type
CVE-2024-20700
Windows Hyper-V Remote Code Execution Vulnerability
Critical
7.5
No
No
RCE
CVE-2024-20674
Windows Kerberos Security Feature Bypass Vulnerability
Critical
9
No
No
SFB
CVE-2024-0057
.NET and Visual Studio Framework Security Feature Bypass Vulnerability
Important
Bugzilla
CVE-2024-26256 libarchive: Heap based buffer overflow in rar e8 filter
bugzilla·2024-05-22·CVSS 7.8
CVE-2024-26256 [HIGH] CVE-2024-26256 libarchive: Heap based buffer overflow in rar e8 filter
CVE-2024-26256 libarchive: Heap based buffer overflow in rar e8 filter
A heap-based buffer overflow flaw was found in the rar e8 filter in libarchive. An attacker could trick a user into opening a specially crafted rar archive to induce a denial of service or arbitrary code execution in the context of the application using libarchive.
References:
https://github.com/advisories/GHSA-2jc9-36w4-pmqw
https://www.zerodayinitiative.com/blog/2024/4/17/cve-2024-20697-windows-libarchive-remote-code-execution-vulnerability
Upstream patch:
https://github.com/libarchive/libarchive/pull/2135
Discussion:
Created cmake3 tracking bugs for this issue:
Affects: epel-7 [bug 2282528]
Created libarchive tracking bugs for this issue:
Affects: fedora-39 [bug 2282529]
Affects: fedora-40 [bug 2282527]
Cr
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20697http://www.openwall.com/lists/oss-security/2024/06/04/2http://www.openwall.com/lists/oss-security/2024/06/05/1https://github.com/advisories/GHSA-w6xv-37jv-7cjrhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20697https://www.zerodayinitiative.com/blog/2024/4/17/cve-2024-20697-windows-libarchive-remote-code-execution-vulnerability
2024-01-09
Published