WinRAR vulnerable to remote code execution, patch now! (CVE-2023-40477)

RARLAB has fixed a high-severity RCE vulnerability (CVE-2023-40477) in the popular file archiver tool WinRAR.

About CVE-2023-40477

A widely used Windows-only utility, WinRAR can create and extract file archives in various compression formats (RAR, ZIP, CAB, ARJ, LZH, TAR, GZip, UUE, ISO, BZIP2, Z and 7-Zip).

CVE-2023-40477 is a remote code execution vulnerability that could allow remote threat actors to execute arbitrary code on an affected WinRAR installation.

“The specific flaw exists within the processing of recovery volumes. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer,” the Zero Day Initiative security advisory explains.

The vulnerability can be exploited remotely and may allow attackers to execute code in the context of the current process, but the flaw’s CVSS score (7.8) does not single it out as critical. The main reason for this is that exploitation requires user interaction – but getting users to download and open a booby-trapped RAR file delivered via email or other means is not very difficult.

What to do?

Easily exploitable WinRAR vulnerabilities do not surface often, but when they do, attackers take note.

Case in point: in 2019, a WinRAR vulnerability (CVE-2018-20250) that allowed attackers to extract a malicious executable to one of the Windows Startup folder has been exploited by attackers to deliver persistent malware. Though, in that particular case, POC exploit code was publicly available.

RARLAB has released a security update to address CVE-2023-40477 and WinRAR users should manually update to version 6.23 as soon as possible, since the software does not have the auto-update option.

In general, you should not be opening any file you receive (unsolicited or not) without scanning it for malware first.