BLOG 19 April 2022

Mitigating CVE-2022-29072 (7-zip) with MEM

Just last week, a new vulnerability was identified in the 7-zip application with ID ‘CVE-2022-29072’. This vulnerability allows for local privilege escalation due to a misconfiguration of the 7z.dll file. By exploiting this vulnerability, a user can receive local administrator privileges on an endpoint.

As part of our Cloud Control Managed Endpoint services, we ensure our customers are working in a secure and optimized environment. In order to do that, we are continuously monitoring the threat landscape looking for vulnerabilities which could impact our customers.

 

Identifying vulnerable devices

 

To identify which devices are vulnerable, Microsoft Defender’s Threat & Vulnerability Management can be used. The vulnerability exists in all versions of 7-zip, including the latest version 21.07.

 

As there is no patch available, Microsoft Defender doesn’t report on this vulnerability at the moment. One way to identify affected devices is by going into the Security portal and selecting Vulnerability Management > Software inventory and selecting 7-zip in the software list. This can also be accessed through the following URL.

 

 

Remediating the vulnerability

 

At the time of writing, no patch is available to mitigate this issue which means it is exploitable by default. This issue can be mitigated by removing the ‘7-zip.chm’ file which ensures the vulnerability is no longer exploitable.

 

This file is responsible for some of the ‘Help’ aspects of the 7-zip application and will not prevent 7-zip core capabilities, e.g.: unzipping archives. The user impact is limited to the fact that users will not be able to open the Help > Contents blade (But let’s be honest, who has opened this before?).

 

This mitigation can be mitigated by using a proactive remediation which can be deployed through Microsoft Endpoint Manager. This can be implemented by navigating to the Endpoint portal and selecting Reports > Endpoint Analytics > Proactive remediations.

 

As detection script, use the following code:

 

 

if((Get-Item -path "C:\Program Files\7-Zip\7-zip.chm" -ErrorAction SilentlyContinue) -or (Get-Item -path "C:\Program Files (x86)\7-Zip\7-zip.chm" -ErrorAction SilentlyContinue)){

    Write-Host "File identified"

    Exit 1

}

else{

    Write-Host "File not identified"

    Exit 0

}

 

 

For the remediation, the following Powershell code will remove the vulnerable file:

 

if(Get-Item -path "C:\Program Files\7-Zip\7-zip.chm" -ErrorAction SilentlyContinue){

    Remove-Item -path "C:\Program Files\7-Zip\7-zip.chm" -Force

    Write-Host "x64 file removed"

}

 

if(Get-Item -path "C:\Program Files (x86)\7-Zip\7-zip.chm" -ErrorAction SilentlyContinue){

    Remove-Item -path "C:\Program Files (x86)\7-Zip\7-zip.chm" -Force

    Write-Host "x86 file removed"

}

 

 

Note: This remediation assumes you have installed 7-zip in the default installation path.

 

Want to work together?

 

If you are a ‘Cloud Control Managed Endpoint’ customer, we have already identified the vulnerable devices in your environment and are reaching out for the remediation steps.

 

Do you want us to help you mitigate vulnerabilities and stay ahead of current attacks, take a look at our Managed Services and get in touch.

Thijs Lecomte

Microsoft 365 Consultant

Focus

  • Cloud Security & Compliance
  • Identity Management
  • Security Operation Center Architect

 

Bio

  • MVP Security
  • Security enthusiast focusing on securing cloud environments. Microsoft Sentinel expert and Microsoft Defender engineer.
  • LinkedIn

More about our teachers

Contact us

© The Collective - BE 0726.449.826

Privacy Policy 

 

site by Like a Virgin

© The Collective - BE 0726.449.826 - Privacy Policy