CVE-2024-20697: 
vulnerability analysis and mitigation

CVE-2024-20697 is a Remote Code Execution vulnerability affecting Windows Libarchive. The vulnerability was discovered by the Microsoft Offensive Research & Security Engineering team and was disclosed in January 2024. It affects multiple versions of Windows systems including Windows 11 22H2, Windows 11 23H2, and Windows Server 2022 23H2 (NVD).

The vulnerability is an integer overflow in the Libarchive library, specifically in the handling of RARVM filter used for Intel E8 preprocessing within RAR archives. The issue occurs when processing a RAR archive containing a RARVM filter with a fingerprint field calculated as either 0x35AD576887 or 0x393CD7E57E. If the 5th register of the filter is set to a block length of 4, it causes an integer overflow in the loop condition, resulting in out-of-bounds memory access (ZDI). The vulnerability has been assigned a CVSS v3.1 base score of 7.3 (High) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H (NVD).

Successful exploitation of this vulnerability could result in arbitrary code execution in the context of the application using the vulnerable library. The vulnerability affects the confidentiality, integrity, and availability of the system with high severity impacts (ZDI).

Microsoft has released security patches to address this vulnerability in January 2024. It is recommended to apply the vendor patches to completely address this issue. Additional mitigation measures include not extracting RAR archive files from untrusted sources and implementing traffic filtering based on the detection guidance (ZDI).

Security researchers have provided detailed technical analysis of the vulnerability. Notably, Tavis Ormandy provided additional context about the historical background of RarVM and suggested that supporting these old filters might not be worth the security risk (OSS Security).