CVE-2022-29072 Detection: Flaw in 7-Zip Grants Hackers Excessive Permissions

[post-views]
April 18, 2022 · 2 min read
CVE-2022-29072

The 7-Zip file archiver versions of 21.07 have a serious security weak point. 7-Zip is one of the most in-demand tools to compress and package files with a wide array of supported formats including 7z, ZIP, GZIP, BZIP2, and TAR.

The vulnerability tracked as CVE-2022-29072 grants adversaries elevated access and command execution when a file with the .7z extension is moved to the Help > Contents area.

Detect CVE-2022-29072

Use the Sigma rule below developed by the seasoned experts of the SOC Prime Team to timely track attempts of the CVE-2022-29072 exploits:

Possible 7-Zip CVE-2022-29072 Exploitation (via process_creation)

This detection is available for the 22 SIEM, EDR & XDR platforms.

The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Privilege Escalation tactic with Exploitation for Privilege Escalation (T1068) as the primary technique.

Hunting professionally? Share your knowledge with other SOC experts, hunt for threats within 25+ supported SIEM, EDR, and XDR technologies, and see your detection content displayed in the SOC Prime’s vast library of rules.

View Detections Join Threat Bounty

CVE-2022-29072 Analysis & Mitigation

A privilege escalation vulnerability in probably the most widely used file compression tool leaves the doors wide open for threat actors. The zero-day referred to as CVE-2022-29072 springs from misconfiguration of 7z.dll and heap overflow. The flawed current Windows version 21.07 grants hackers unauthorized access to breached systems when a file with the .7z extension is placed within the Help > Contents area. The command spawns a child process under the 7zFM.exe process.

The vulnerability has been exploited since April 12th, 2022, and currently, there are no patches available to fix the bug. On the bright side, it is enough to delete the 7-zip.chm file in the 7-Zip installation directory to remedy this issue. After this simple procedure, cybercrooks can no longer leverage the CVE-2022-29072 flaw.

New treats are calling for the immediacy of action. SOC Prime helps you to augment your defense capabilities with more sсalable solutions. Register on SOC Prime’s Detection as Code platform to enhance your threat discovery and threat hunting capabilities while streamlining your security operations in fast-paced security environments.

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts