A vulnerability in the popular archiver WinRAR became known last weekend and has been fixed in the new version 6.23. Subsequently, it turned out that the program before this update had another security hole that was exploited by hackers. The consequences of these bugs can be serious as the vulnerabilities affect other software as well.
It was previously known that the WinRAR archiver contains a vulnerability that attackers can use to execute arbitrary code – it is tracked under the number CVE-2023-40477 and has a rating of 7.8 out of 10 (high). The problem lies in the incorrect validation of data in the so-called recovery volumes for RAR archives, which allows malicious code to gain access to an area outside the allocated memory buffer. Attempting to open such a specially crafted archive will execute malicious code.
Some time later, Group-IB experts spoke about the CVE-2023-38831 vulnerability (not yet assessed), which has been exploited since April by an unknown hacker group that targeted brokerage house employees. This vulnerability allows malicious scripts to be disguised as seemingly harmless JPG and TXT files, double-clicking on them in the archive also launches them.
Both vulnerabilities have been fixed. Rarlab is also responsible for the unrar.dll and unrar64.dll libraries, which are also likely vulnerable and bundled with many other programs. The reason for the suspicion appeared with the update of the file manager Total Commander, which is no less iconic than the WinRAR archiver: in Comments To build 11.01 RC1 it is noted that the critical vulnerability of the unrar.dll library has been fixed and this library is offered to be loaded when needed separately. Later program developer Christian Ghisler explained in the project forum: “No one knows if unrar.dll is also vulnerable or if it is WinRAR itself. But since I’m currently preparing the release of TC 11.01, I’ll include the new Unrar libraries in it anyway..
German cybersecurity institute AV-Test stated that it has in its database more than 400 programs using unrar.dll and unrar64.dll, including antivirus programs. It is likely that these libraries will be replaced in all updates of these programs in the near future. Not to be forgotten is Windows, whose “Explorer” will soon receive integrated support for RAR archives. And here, too, there is a nuance: the Rarlab open library is written in C++, and “Explorer” support of the RAR format is implemented on the basis of the libarchive code – this library uses its own implementation of C. That is, if the vulnerability somehow affects libarchive, Microsoft needs to fix it before releasing the Windows public update where “Explorer” supports RAR.