A high-severity vulnerability has been fixed in WinRAR, the popular file archiver utility for Windows used by millions, that can execute commands on a computer simply by opening an archive, writes Bleeping Computer*.
The flaw is tracked as CVE-2023-40477 and could give remote attackers arbitrary code execution on the target system after a specially crafted RAR file is opened.
The vulnerability was discovered by researcher “goodbyeselene” of Zero Day Initiative, who reported the flaw to the vendor, RARLAB, on June 8th, 2023.
“The specific flaw exists within the processing of recovery volumes,” reads the security advisory released on ZDI’s site.
“The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer.”
As a target needs to trick a victim into opening an archive, the vulnerability’s severity rating drops down to 7.8, as per the CVSS. However, from a practical perspective, deceiving users into performing the required action shouldn’t be overly challenging, and given the vast size of WinRAR’s user base, attackers have ample opportunities for successful exploitation.
Commentary by Thomas Uhlemann, Security Specialist at ESET
WinRAR is definitely an attractive target for cybercriminals, being abused in attacks on “air-gapped” networks and email attacks alike. This is because it is used by millions of users world-wide but almost none pay for the full version and will never get an automatic update of the software. It’s safe to say that the majority of installations are outdated and quite a big portion most likely will never see an update.
But other points are also interesting for attackers, such as direct memory access, since in order to compress and decompress files, they need to be temporarily stored in RAM. Yet another interesting aspect is the ability to include scripts and links to files outside the archive. There have been many adaptions in form of updates and patches to mitigate potential abuse of (un-)archiving tools, but they remain an attack vector to count with.
Users are advised to regularly check for updates of all software they’re using, especially the free one. There’s also alternatives to WinRAR which are able to extract a variety of archives and are automatically updated by their developers. Using security software which is able to scan all kinds of archives before they’re extracted by the user, is also good practice.
*ESET does not bear any responsibility for the accuracy of this information.
ESET Ireland 