Attacker Value
High
(1 user assessed)
Exploitability
Low
(1 user assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Network
1

CVE-2021-36976

Disclosure Date: July 20, 2021
CVE-2021-36976 CVSS v3 Base Score: 6.5
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (called from do_uncompress_block and process_block).

Add Assessment

2
Ratings
  • Attacker Value
    High
  • Exploitability
    Low
Common in enterpriseUnauthenticatedVulnerable in default configurationRequires user interaction
Technical Analysis

This looks to be a Use-After-Free bug in libarchive 3.4.1 through 3.5.1 that was only recently patched by Microsoft in January 2021, though the details on this bug were public as early as June 2021 in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32375. It remains unclear if this was fully fixed though as https://github.com/libarchive/libarchive/issues/1554 is still open which references https://github.com/libarchive/libarchive/pull/1491 as being the fix, yet that PR is on hold as of today (January 11th 2021), and that relies on https://github.com/libarchive/libarchive/pull/1492 which is in turn dependent on https://github.com/libarchive/libarchive/pull/1493. All of this leads to a bit of a confusing mess as to if this bug has truely been fixed or not.

This bug occurs in copy_string which is in turn called from do_uncompress_block and process_block. These functions exist within the libarchive/libarchive/archive_read_support_format_rar5.c file, as can be seen by looking at https://github.com/libarchive/libarchive/blob/411284e3f5819a5726622f3f129ebf2859f2d46b/libarchive/archive_read_support_format_rar5.c, and are related to parsing RAR5 archive files.

So what is RAR5 archive files? Well turns out according to https://www.remosoftware.com/info/differences-between-rar-and-rar5-compression that RAR4 was the default archive compression mechanism for RAR files. RAR5 is the new compression algorithm that is trying to rival 7ZIP and similar compression formats and is an evolution of the RAR4 format. The article also notes that right now WinRAR is the most likely program to open these newer file formats.

From this we can conclude that this bug most likely occurs when sending a user a RAR5 file and a Windows program that uses the system’s version of the libarchive library attempts to extract the RAR5 file, which will cause a UAF condition that, if controlled, could allow the attacker to gain RCE on a users computer.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
6.5 Medium
Impact Score:
3.6
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
None
Integrity (I):
None
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • apple,
  • fedoraproject,
  • libarchive,
  • splunk

Products

  • fedora 35,
  • ipados,
  • iphone os,
  • libarchive,
  • macos,
  • universal forwarder,
  • universal forwarder 9.1.0,
  • watchos
Technical Analysis