Critical Vulnerabilities in ZIP libraries of Swift and Flutter
Take action: Not a panic mode patch for Flutter and Swift, but nonetheless a good lesson learned on proper handling of ZIP files. And please do update your versions of Flutter and Swift if you are handling ZIP files.
Learn More
A number of vulnerabilities have been discovered in widely used ZIP libraries of Swift and Flutter. These vulnerabilities could be exploited by attackers to gain unauthorized access to sensitive data or to disrupt the operation of applications.
Swift and Flutter are both used to develop mobile apps.
- Swift is a programming language developed by Apple Inc. and the open-source community. It was first released in 2014 as the successor to Objective-C. It is used to develop iOS, macOS, watchOS, tvOS, and Linux apps.
- Flutter is an open-source, cross-platform UI toolkit developed by Google. It allows developers to build native-looking apps for iOS, Android, web, and desktop from a single codebase.
ZIP files are commonly used to compress and package distribute software, documents, and other files in a single archive file. In their ZIP form they are seen as safe, since opening one will just uncompress the content. This is why archives are an excellent medium for cyber attacks and transport of malware if there are vulnerabilities in the tools that open these compressed files. We have already seen a similar exploit with WinRAR.
The vulnerabilities that have been discovered can be categorized into four types:
- CVE-2023-39135 (CVSS3 score 9.8) , CVE-2023-39138 (CVSS3 not scored yet) - ZIP Path Traversal - This vulnerability occurs when an application does not properly validate the filenames of files in a ZIP file. This can allow an attacker to create a malicious ZIP file that contains a file with a filename that points to a sensitive location on the victim's system.
- CVE-2023-39137 (CVSS3 score 7.5) - ZIP File Name Spoofing - This vulnerability occurs when an application only parses the filename from the Local File Header of a ZIP file. This can allow an attacker to create a malicious ZIP file that has different filenames in the Local File Header and the Central Directory Entry.
- CVE-2023-39139 (CVSS3 score 8.1) - ZIP Symlink Path Traversal - This vulnerability occurs when an application does not properly check the path of a symlink that is extracted from a ZIP file. This can allow an attacker to create a malicious ZIP file that contains a symlink that points to a sensitive location on the victim's system.
- CVE-2023-39136 (CVSS3 score 6.5) - ZIP Bomb: This vulnerability occurs when a ZIP file contains an enormous amount of compressed data. This can cause the application that extracts the ZIP file to run out of memory or CPU resources, resulting in a denial-of-service attack.
The vulnerabilities that have been discovered have been reported to the authors of the affected ZIP libraries. Developers are advised to update to the latest versions of these libraries to protect their applications from attack.
In addition to updating their software, developers can also take steps to mitigate the risk of these vulnerabilities being exploited. These steps include:
- Sanitize the filenames before extracting them from ZIP files.
- Check the paths of symlinks before extracting them from ZIP files.
- Limit the amount of data that can be extracted from ZIP files.
