Executive Summary

This vulnerability exists in 7-Zip versions 9.21 through 26.00 in the UEFI capsule (.scap) parser. Specifically, the OpenCapsule function allocates a heap buffer based on an attacker-declared size without zero-initializing it. When reading the file contents, if the file is truncated, the unread portion of the buffer contains uninitialized heap memory. This uninitialized memory is then exposed as part of the extracted file content, potentially leaking sensitive data.

The issue arises because the function discards the return value of the read operation, which could indicate a short read, leading to exposure of leftover heap memory. This vulnerability was fixed in version 26.0.1.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to the exposure of uninitialized heap memory when extracting UEFI capsule files using vulnerable versions of 7-Zip. Because the exposed memory may contain sensitive information such as passwords, file paths, or other confidential data, an attacker could potentially access this information by crafting malicious archive files.

The GUI version of 7-Zip is particularly vulnerable due to its long-running nature, increasing the risk of leaking sensitive data over time.

The CVSS score of 6.5 indicates a medium severity with network attack vector, low attack complexity, no privileges required, but user interaction needed, and high confidentiality impact.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves uninitialized memory disclosure in the UEFI capsule parser of 7-Zip versions 9.21 through 26.00. Detection involves identifying if vulnerable versions of 7-Zip are present on your system.

You can check the installed 7-Zip version using the following command on Windows systems:

• 7z.exe --help or 7z.exe

Alternatively, check the version via the file properties of 7z.exe or by running:

• wmic datafile where name="C:\\Program Files\\7-Zip\\7z.exe" get Version

If the version is between 9.21 and 26.00 inclusive, the system is vulnerable.

Since this vulnerability is related to file extraction, monitoring for suspicious or malformed .scap (UEFI capsule) files being processed by 7-Zip could help detect exploitation attempts.

No specific network detection commands or signatures are provided in the resources.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade 7-Zip to version 26.0.1 or later, where this vulnerability has been fixed.

Avoid extracting untrusted or suspicious UEFI capsule (.scap) files using vulnerable versions of 7-Zip.

If upgrading immediately is not possible, consider restricting access to 7-Zip or disabling its use for processing .scap files to reduce exposure.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in 7-Zip's UEFI capsule parser can lead to uninitialized heap memory disclosure, potentially exposing sensitive data such as passwords or file paths. This exposure of sensitive information could impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access or leaks.

Since the vulnerability allows extraction of uninitialized memory that may contain sensitive information, organizations using affected versions of 7-Zip might face increased risk of data breaches or unauthorized data exposure, which are critical concerns under these regulations.

Useful 0 Not Useful 0