Remediating CVE-2022-29072 7-zip Windows Privilege Escalation Vulnerability


The current version and some earlier versions of 7-Zip have a security vulnerability which could allow hackers to escalate privileges. The zero-day referred to as CVE-2022-29072 exploits the misconfiguration of 7z.dll. Hackers can gain unauthorized access to systems when a file with the .7z extension is placed within the Help > Contents area. The command then runs as a child process under the 7zFM.exe process.

At present, 7-Zip has not released a security update to address this vulnerability, which means that all current versions of 21.07 are vulnerable. Luckily there is a workaround available to mitigate the vulnerability and through this blog, I will cover the remediation steps of implementing this workaround using ConfigMgr. 

Workaround for mitigation

To remedy this vulnerability, 7-zip.chm file in the 7-Zip installation directory needs to be deleted. This way the help section of 7-zip becomes unusable and the attackers cannot exploit it any further. 

I have created simple .vbs scripts to detect and delete the 7-zip.chm file using Compliance settings in ConfigMgr. Through compliance settings, you can manage configuration and settings on the devices in your organization. It includes configuration items (CI) which stores the defined specific information and a configuration baseline that evaluates the CIs you create.

Scripts being used are -

Detection x64 -

dim filesys
Set filesys = CreateObject("Scripting.FileSystemObject")
If filesys.FileExists("C:\Program Files\7-Zip\7-zip.chm") Then
WScript.Echo "File exists"
Else
WScript.Echo "File does not exist"
End If

Detection x86 -

dim filesys
Set filesys = CreateObject("Scripting.FileSystemObject")
If filesys.FileExists("C:\Program Files (x86)\7-Zip\7-zip.chm") Then
WScript.Echo "File exists"
Else
WScript.Echo "File does not exist"
End If

Remediation x64 -

dim filesys
Set filesys = CreateObject("Scripting.FileSystemObject")
If filesys.FileExists("C:\Program Files\7-Zip\7-zip.chm") Then
filesys.DeleteFile "C:\Program Files\7-Zip\7-zip.chm"
End If

Remediation x86 -

dim filesys
Set filesys = CreateObject("Scripting.FileSystemObject")
If filesys.FileExists("C:\Program Files (x86)\7-Zip\7-zip.chm") Then
filesys.DeleteFile "C:\Program Files (x86)\7-Zip\7-zip.chm"
End If

Now we will put of this together in Compliance settings in ConfigMgr. I am creating 2 CIs. One for each installer architecture. 

1. On the MECM console, navigate to \Assets and Compliance\Overview\Compliance Settings\Configuration Items.
2. Right click and select Create Configuration Item.
3. Configure the settings as shown below.


Detection:


Remediation:



4. Repeat the same for x86 based CI.


Detection:


Remediation:



5. After creating the CIs, we will now create a baseline. Navigate to \Assets and Compliance\Overview\Compliance Settings\Configuration Baselines.
6. Right click and select Create Configuration Baseline.
7. Configure the settings as shown below.


8. Lastly, deploy the baseline with remediation enabled. Note: I will not recommend setting a recurrence schedule as the vulnerability may get fixed in future releases of 7-zip.


Conclusion

Until a fix is released, implementing the workaround seems like the only option. The .vbs scripts shared in this blog can also be used in Intune or any other other deployment tool.

Comments

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

Prevent users from running certain programs or applications on Windows endpoints using Intune

Intune: Configure Printers for Non-Administrative Users