14 DAY TRIAL // A set of security flaws in Libarchive, an open source compression toolkit, affects countless other projects where this library was included, such as Debian Linux, FreeBSD, and various file compression utilities.
The library was created in 2004 specifically for the FreeBSD project, but its powerful features soon caught the eye of many other developers, who ported it to other operating systems and implemented it with their software.
Developers love the fact that Libarchive can allow real-time access to a lot of compressed file formats, such as tar, 7z, zip, cpio, pax, rar, cab, and many more.
Exploitation is trivial
In a blog post published yesterday, the Cisco Talos team has announced that they worked with the Libarchive team to patch a series of security issues in the library.
These issues stand apart from various security bugs fixed in software products on a daily basis because they indirectly affect countless other projects because of Libarchive's wide reach.
Exploiting these issues is also somewhat trivial if you know where they are since it only requires an attacker to craft a malicious ZIP file.
When Libarchive, or the software where Libarchive was included, reads the malicious archive, the attacker can execute malicious code on the user's system.
Many software products at risk
Imagine you're using an antivirus or a package manager that has included Libarchive in its code to handle reading archived files in real-time. Since all antivirus products decompress archived files to look inside for malware, and since the role of a package manager is to download, unzip, and install software on your PC, the attacker's job is limited to only crafting the malicious archive and finding a way to deliver it to your PC.
Cisco researchers said they found an integer overflow issue in how Libarchive handles 7-Zip files (CVE-2016-4300), a buffer overflow in how Libarchive handles Mtree files (CVE-2016-4301), and a heap overflow in how the library handles RAR files (CVE-2016-4302). As you can see, all of these are dangerous security flaws that lead to remote code execution on the user's machine.
"Writing secure code can be difficult," the Cisco team explains. "The root cause of these libarchive vulnerabilities is a failure to properly validate input --data being read from a compressed file. Sadly, these types of programming errors occur over, and over again."
Cisco reports that all issues are now fixed, but as you can imagine, it may take some time until developers update all the apps where Libarchive was deployed with the library's latest version (v3.2.1).
At the start of May, Cisco's Talos team also helped the 7-Zip project fix a set of severe vulnerabilities in its software. 7-Zip is similar to Libarchive, being included in many other software products as well.