[German]Warning to users of the WinRAR archive program. Various state threat actors from Russia and China are trying to exploit a vulnerability in the WinRAR archiving tool for Windows. Attackers can execute arbitrary code when unpacking archives via the CVE-2023-38831 vulnerability. Affected by the vulnerability are WinRAR versions prior to 6.23 – currently WinRAR 6.24 is available.
Advertising
The attacks were uncovered by the Google Thread Analysis Group (TAG). The Hacker News points out these facts in this article as well as in the following post.
Attacks since April 2023
WinRAR is a commonly used file archiving tool for Windows, From the Google Threat Analysis Group (TAG), it is said that several government-backed hacker groups have been observed exploiting the known CVE-2023-38831 vulnerability in WinRAR in recent weeks. Hacking groups such as FROZENBARENTS (also known as Sandworm), FROZENLAKE (also known as APT28) and ISLANDDREAMS (also known as APT40) were named. The attacks started back in early 2023, at a time when the WinRAR vulnerability CVE-2023-38831 was still publicly unknown.
Vulnerability CVE-2023-38831
Vulnerability CVE-2023-38831 became public on August 23, 2023 and has a CVSS 3 of 7.8 (high or critical). I had reported about the vulnerability in the post WinRAR Code Execution Vulnerability CVE-2023-40477.
The vulnerability allows attackers to execute arbitrary code when a user tries to view a harmless file inside a ZIP archive. The issue occurs because a ZIP archive can contain a harmless file (such as an ordinary JPG file) and a folder with the same name as the harmless file, and the contents of the folder (which can contain executable content) are processed when attempting to access only the harmless file..
The vulnerability was discovered on July 10, 2023, during the investigation of DarkMe malware by Group IB analysts. The analysts believe that the vulnerability has been exploited since April 2023. Packet Storm Security documented more details in this post dated September 8, 2023. This vulnerability was exploited between April and October 2023, according to NIST. All older WinRAR versions before 6.23 are affected.
Advertising
The RARLAB team closed the vulnerability in August 2023 with WinRAR version 6.23. However, not all users seem to have updated their WinRAR package to at least version 6.23 yet.
