The vulnerability “CVE 2022-29072“, where you can find the vulnerability, exploitation, mitigation methods, has been published at “https://github.com/kagancapar/CVE-2022-29072“. Up to “21.07“, the current version of 7zip, this vulnerability is affected. It allows for escalation. Its exploitation is also not very complex.
It is possible to detect the exploitation of the related vulnerability, after running 7zip.exe, by writing a rule in case of child processes PowerShell, cmd or a network connection.
Windows, AmigaOS, Unix, Linux.
Solution and CVE/CWE
7-Zip has yet to release a security update to fix this vulnerability. To fix this vulnerability, users only need to delete the 7-zip.chm file in the 7-Zip installation directory. After deletion, hackers can no longer exploit the CVE-2022-29072 vulnerability to escalate privileges.
You can also write a rule about this issue in your EDR products. The rule you will write can enable block action when the “cmd.exe” and “powershell.exe” sub-processes run from within the “7zFM.exe” and “FzGM.exe” processes.
Note: Those with a CVSS 3.1 score of 7.0-8.9 out of 10 are considered “high”, and those with 9.0-10.0 are considered “critical” vulnerabilities.