RARLAB has released a patch to fix a flaw in WinRAR, the popular Windows file archiver utility, that could allow remote attackers to execute arbitrary code when the target opens a specially crafted RAR file. The bug, designated CVE-2023-40477, is the result of inadequate validation of user-supplied data which allows access to memory past the allocated buffer. Successful exploitation of CVE-2023-40477 requires the target to open the malicious archive file delivered via phishing or other methods.
CVE-2023-40477 was discovered by security researchers in June 2023 and responsibly disclosed to WinRAR, who fixed the issue in version 6.23 of WinRAR, released in August.
Source: Bleeping Computer
Analysis
WinRAR’s large user base and familiarity makes it a popular choice for exploitation and misuse. In May 2023, it was reported that Russian hackers leveraged their access to sensitive Ukrainian government systems to archive and delete files using a function native to WinRAR. It’s likely the hackers chose WinRAR for this purpose since it would be unlikely to be detected by host-based anti-virus programs, versus the custom-built wipers that have become associated with Russian hackers since the beginning of Russia’s invasion of Ukraine.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software like WinRAR. This research contributes to the timely deployment of signatures into Covalence, our flagship security solution, to detect and mitigate the exploitation of these vulnerabilities. Covalence users are automatically notified when vulnerable software and devices are detected in their environment and are encouraged to review these AROs as quickly as possible.
Field Effect strongly encourages users of WinRAR to update to the latest version soon as possible.
References
