Cisco's Talos security team disclosed a vulnerability in the Lhasa LZH/LHA decompression tool and library that could allow remote code execution.
The issue is caused by an integer underflow condition in the LHA compression algorithm, Cisco's Talos Security Outreach Manager Craig Williams told SCMagazine.com via emailed comments.
“What concerns me about this vulnerability is that the compression algorithm involved is very well known and quite old,” Williams said.
He said this could give a false sense of security that the tool uses stable code when it doesn't.
“Combine this with the fact that many anti-virus gateways and security appliances will decompress files so that they can be inspected and we have a perfect storm,” Williams said.
It is also possible for an attacker to send a specially crafted email file to the device that could compromise a device and allow remote code execution on the appliance itself if the vulnerable library is used in a security appliance, he added.
Williams said this would be an ideal foothold for an attacker to move laterally though the network.
Another attack vector possibility would be to exploit the file scanning systems that use the Lhasa library to read the contents of LZH and LHA files, researchers said in a March 31 Talos blog post.
Williams recommends anyone using an affected system upgrade to the latest version of Lhasa.
“Users can protect themselves by both upgrading and following best practices by not clicking on suspicious email attachments,” Williams said.