[German]I don't know how common WinRAR is among the blog readers. WiNRAR developers have fixed a critical code execution vulnerability (CVE-2023-40477) in the software. It is enough to open a compromised archive file to allow attackers to execute arbitrary code on the victim's target system. Therefore, those who use WinRAR should install the latest version 6.23. Addendum: It was suspected, that software products that contain the WinRAR libraries are also affected. But that seems not be true.
Advertising
What is WinRAR?
WinRAR is a file archiving program that runs under Windows and is used by millions of users. The program can be used to create archives in RAR or ZIP file format, display them and unpack numerous archive file formats. WinRAR supports the creation of encrypted, multi-part and self-extracting archives. To allow the user to verify the integrity of archives, WinRAR embeds CRC32 or BLAKE2 checksums for each file in each archive.
Vulnerability CVE-2023-40477 in WinRAR
Now a vulnerability has been discovered in older versions of the program, which is to be classified as highly problematic. I became aware of this vulnerability via various media reports like here or here as well as via the following tweet. The problem was discovered by the Zero Day Initiative, which documented the vulnerability in this post from August 17, 2023.
Vulnerability CVE-2023-40477 (RARLAB WinRAR Recovery Volume Improper Validation of Array Index Remote Code Execution Vulnerability) has been assigned a CVSS score of 7.8 due to a code execution vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability, as the target must visit a malicious page or open a malicious file, the disclosure states.
The vulnerability exists in the processing of recovery volumes and results from a lack of proper validation of user-supplied data. This can lead to memory access beyond the end of an allocated buffer. An attacker can exploit this vulnerability to execute code in the context of the current process.
Advertising
The vulnerability was reported to the developer on June 8, 2023, and the vendor released WinRAR 6.23 on August 2, 2023. The vulnerability was disclosed on August 17, 2023. Information about the updated version and more details can be found in this article.
Software using WinRAR libraries also affected
Addendum: The libraries "unrar.dll" and "unrar64.dll" used by WinRAR are used in some software products (I heard about 400 affected products, e.g. also in virus scanners). If old versions of the libraries are used there, the vulnerabilities mentioned above also exist there. Andreas Marx from AV-Test recently contacted German site heise-Security and pointed this out.
And in the case of virus scanners, this is even more critical than with WinRAR, since the anti-virus software usually runs with elevated privileges. It is therefore important to check whether the libraries can be found on a Windows system and whether the updated versions have been installed via the software in question.
Addendum2: Martin Brinkmann at ghacks.net has updates this article. According to the WinRAR developer, the two WinRAR library files mentioned above should not have the vulnerability, or third-party applications cannot exploit CVE-2023-40477. However, it is advised to update the respective third-party software that uses the libraries to the latest version. Thanks to TomTom for the tip.
Advertising
