A vulnerability was found in 7-Zip 21.07 that can be exploited through the 7-Zip Help file. This post will show how to remediate this vulnerability by deleting the 7-zip.chm file. In this post I will show you 2 ways you can accomplish this:
With a MECM (SCCM) configuration item deployment and with Intune script. In this post I will remediate the 7-zip (all versions) 64 bits version with MECM, and only the 21.07 (32 and 64 bits) version with Intune.
To fix this vulnerability you have to delete the 7-zip.chm file that is located in the root folder of 7-zip. You can delete this file manually off course but if you manage hundreds or even thousands of devices you want to automate this action.
So this post will show you how you can automate this action with MECM (SCCM) and with Endpoint Manager (Intune).
Configuration Item (MECM)
NOTE: To make your life easy. I have published an export of the configuration item and baseline that you can import in your MECM console. You can change the discovery and remediation script if you want after the import.
Download the export of the configuration item and baseline and extract it.
Place the extracted Remove 7-zip.chm file CVE-2022-29072.cab on a location so that you can import it in your MECM console.
In your MECM console go to: \Assets and Compliance\Overview\Compliance Settings\Configuration Items.
Right click in the right screen and select Import Configuration Data.
Click Add.
Select the Fix Remove 7-zip.chm file CVE-2022-29072.cab and click Open.
Click Yes.
Click Next >
Now you will see this import will create the Configuration Item AND the Baseline. Click Next >
Click Close.
Now you can deploy the Configuration Baseline to a device collection. Or you can change the detection and remediation scripts in the Configuration Item because it now will detect on the 7-zip x64 help file on all version.
Go to \Assets and Compliance\Overview\Compliance Settings\Configuration Baselines and right click the Delete 7-zip.chm file and select Deploy.
Check Remediate noncompliant rules when supported and Allow remediation outside the maintenance window.
Browse to the collection you want to deploy and set the evaluation schedule for the baseline. Click OK.
Now to see what happens on a device. Right click on the windows start button and select Run, type control smscfgrc and click OK.
Go to the tab Actions and Select Machine Policy Retrieval & Evaluation Cycle and click Run Now.
Now go to the tab Configurations and click Refresh, now the baseline you deployed will show, click Evaluate. When the status is compliant the 7-zip.chm is removed.
Compliance policy script (Intune)
I found a nice remediation and detection script Online and I modified it in one script so it is a detection and remediation script all in one. It checks for the 7-zip.chm file in 32 and 64 program files and if the file is there it will check if the version is 21.07, only then it will delete the file.
#=============================================================================================================================
#
# Script Name: Remove 7-Zip 21.07 Help File (CVE-2022-29072)
# Description: Proactive Remediation script to remediate CVE-2022-29072 - 7-Zip 21.07 Help File vulnerability
#
#=============================================================================================================================
# Define Variables
If (Test-Path "$env:ProgramFiles\7-Zip\7-zip.chm") {
$exePath = Get-Item "$env:ProgramFiles\7-Zip\7zFM.exe"
$helpFilePath = "$env:ProgramFiles\7-Zip\7-zip.chm"
$exeProperties = Get-ChildItem $exePath
try {
if ($exeProperties.VersionInfo.FileVersion -eq '21.07') {
Remove-Item -Path $helpFilePath
}
else {
exit 0
}
}
catch {
$errMsg = $_.Exception.Message
Write-Error $errMsg
exit 1
}
}
elseif (Test-Path "${env:ProgramFiles(x86)}\7-Zip\7-zip.chm") {
$exePath = Get-Item "${env:ProgramFiles(x86)}\7-Zip\7zFM.exe"
$helpFilePath = "${env:ProgramFiles(x86)}\7-Zip\7-zip.chm"
$exeProperties = Get-ChildItem $exePath
try {
if ($exeProperties.VersionInfo.FileVersion -eq '21.07') {
Remove-Item -Path $helpFilePath
}
else {
exit 0
}
}
catch {
$errMsg = $_.Exception.Message
Write-Error $errMsg
exit 1
}
}
Log in to the Microsoft endpoint Manager Admin Center and go to Devices – Scripts. Click Add and select Windows 10 and later.
Enter a Name (required) and a Description (optional) and click Next.
Select the script you created by clicking select a file and click Next.
If you deploy the script to a 64 bits Windows 10 make sure Run script in 64 bit PowerShell Host is set to Yes.
Assign the script to a Device group or to all Devices. I will deploy this script to all devices. Click Next. But I recommend to deploy it to a test group before deploying it to all devices.
Click Add.
Lets log on to an Intune managed device to check if the script works.
Open the company portal and go to settings and click sync.
The log files for the Intune Management Extension are located in C:\ProgramData\Microsoft\IntuneManagementExtension\Logs.
Open the IntuneManagementExtension.log
The 7-zip.chm was deleted