WinRAR security issue more wide-reaching than thought [Update]
A recently disclosed security issue in the archiving software WinRAR is affecting other software programs as well.
The developers of WinRAR released version 6.23 of the popular archiving software earlier this month. The release included a security fix that addressed a major out of bounds issue. Malicious actors can exploit the vulnerability to execute code on devices that run earlier versions of WinRAR.
Users who open specially crafted WinRAR archives on their devices may fall pray to the attack. The downloading of such a specially crafted archive and the opening of it on the user's system is sufficient to allow attackers to execute arbitrary code on the device.
The issue, which is identified as CVE-2023-40477, is a high-severity vulnerability found in the processing of recovery volumes. The update to WinRAR 6.23 addresses the vulnerability and WinRAR users should install the update as soon as possible to protect their devices against potential exploits of the vulnerability.
Update: we confirmed with WinRAR that the two DLL files are not vulnerable to the security issue. While it may still make sense to update these to the latest version, the reported security issue can't be exploited in third-party programs that utilize these libraries. End
The libraries unrar.dll and unrar64.dll, used by third-party applications, are also vulnerable. While some applications have released updates to resolve the issue, others are still using older versions of the library files, which remain vulnerable.
Administrators and home users may want to run searches for the two library files on their devices, or check the directories of applications that use the files specifically, to find out if patched versions are installed.
The latest update date may also provide clues regarding the vulnerability. If the last update has been released before August 2, 2023, the library files are likely vulnerable. Opening RAR archives in these third-party applications may therefore also fall pray to attacks targeting the vulnerability.
Microsoft is currently testing the integration of support for various archive formats, including RAR but also 7-ZIP and others, in its Windows 11 operating system. The Windows 11 implementation relies on libarchive and not on the two rar library files.
WinRAR users may select Help > About WinRAR in the application to display the installed version. The latest version of WinRAR can be downloaded from the official website.
Now You: do you use WinRAR or another software to open and create archives?
@John G: I may bring to your attention that your perceived safety may need for you to dig a bit deeper than directly finding such files exposed.
Some apps temporarily drop a file to disk just before needing windows to load it, does it thing, then removes it again. Other have them compiled in from public sources.
Not going to dig up all the details for you, but there should be some CERT/CVE advisories you can look at.
Admittedly, this is more general advice than pertaining specifically to the usage of unrar.
I remember too well some of the trouble with zlib in past years. Some old vulnerable versions are still being distributed, e.g. with older games on steam and GOG.
Other apps are simply built with the old sourcecode for those vulnerable versions and noone never bothered to check what version it was based on (back before it became standard to pull a updated one from github or another trusted source.). And never updated since.
For years on end it was “open secret” that imagemagick was badly compromised by it. Some of you may understand how big a deal that was and why it was not said openly until long after it got updated.
Similarly, so was almost anything that used old pnglib versions to unpack/compress since in the reference implemementation it used zlib.
Same with a considerable number of games using old zlib sources to handle compressed savegames and compressed assets in general. They are still out there and you are just one tampered download of a addon/mod away from running code you dont want to.
And you can bet your ass most game studios do no have security buffs that keep tabs on such things. And next thing you know a “crafted” image gets pushed in a ingame feed and you’re pwned.
I am just going to leave a small taste here for you to consider. 2022 was not that long ago, so consider your exposure and don’t just dismiss my anecdote about the old unsafe version of libpng as a thing of the past.
https://nvd.nist.gov/vuln/detail/CVE-2022-37434
Stay vigilant.
There was also a issue some years ago with unace. Ace more or less went out of use about 20 years ago (having fallen behind) but was included with some compressors for format compatibility with old existing archives that had not been converted yet (such as you might have on a old CDROM backup from the late 90s). As it turned out, the freely distributed unace was not safe. Being a dead format in a piece of abandonware, it simply got culled.
There are probably more defects out there in various compressors, but the biggest threat by far by nature of the vast usage it has, comes from zlib and the things that build on that.
Naturally other compressers/decompressors that have nothing to do with it likely have issues of their own waiting to be uncovered. Probably a heap of jpeg and webp implementations are b0rk3n too. And I’d worry about libraries for audio and video as well. E.g. libogg, mp3 decoders, early mp4 codecs, dvd playback software, old versions of ffmpeg and things that build on that, etc ad nauseam.
@Martin you wrote “The Windows 11 implementation relies on libarchive and not on the two rar library files.”
Maybe you can elaborate? Do you know what libarchive is based on or if they have made their own implementations from scratch? It would be surprising if they had fully reimplented to spec instead of basing their libraries on the publicly provided unzip/unzip/un-etc sources.
FYI
You can download the dll’s yourself and replace them instead of waiting for a software update.
https://www.rarlab.com/rar_add.htm
Unlike unrar.exe, original unrar.dll and unrar64.dll libraries do not include recovery volume processing code and thus they are not vulnerable.
epubor has the unrar.dll file as well.
It’s time to get rid of it along with Calibre – neither can remove DRM from kindle books anymore, the only reason I was keeping them. Bye!
“Now You: do you use WinRAR or another software to open and create archives?”
Been using 7-Zip problem-free for decades. Broad user base, free, open souce, fast, and decent (AES-256) encryption.
Thanks, ^^Gary, for the post about Calibre. I just upgraded the portable version, and yes, it’s still using the affected .dll. I only use Calibre for the occasional .awz3 conversion (Sumatra is my primary e-book reader), so I’ll just park Calibre until it’s upgraded. The author is usually pretty fast with fixes.
PeaZip here, but I noticed both the unrar.dll and unrar64.dll files are on my Windows 10 system–unrar.dll is located here: C:\Program Files\Calibre2; unrar64.dll is located here: C:\Windows\System32. The first file is relatively new–6/23; the second file is old–5/19.
I know an update for Calibre is available to 6.22.
Thanks for the informaton!
Hard to believe such a prominent, high quality program such as WinRar has a security issue.
Include Power ISO as well–on a Windows 11 computer.
Calibre ebook management software uses unrar.dll.
The current version of Calibre (Release: 6.25 [18 Aug, 2023]) is still using unrar.dll version 6.10.2.318.
Hi Martin,
There are actually 2 Critical Bug Fixes addressed by WinRAR 6.23 final :
“WinRAR 6.23 final released
Release date: 02.08.2023
Release notes updated: 24.08.2023
3) Bugs fixed:
a. Critical Bug: CVE-2023-40477. The vulnerability allows remote attackers to execute arbitrary code on affected installations. User interaction is required to exploit this vulnerability. This is fixed in the RAR4 recovery volume processing code.
We would like to thank goodbyeselene in collaboration with Trend Micro Zero Day Initiative for reporting this bug.
http://www.zerodayinitiative.com/advisories/ZDI-23-1152/
Bug reported: 08.06.2023
Fixed in new WinRAR Beta Version 6.23, released: 20.07.2023;
Full Version 6.23 release: 02.08.2023
b) Critical Bug: CVE-2023-38831. A vulnerability was discovered in the processing of ZIP format. Attackers could utilize affected archives to distribute malware. User interaction is required to exploit this vulnerability.
We would like to thank Andrey Polovinkin of Group-IB Threat Intelligence for reporting this bug.
http://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
Bug reported: July 2023
Fixed in 6.23 Beta Version, released: 20.07.2023
Full Version 6.23 release: 02.08.2023 ”
Re : https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=232&cHash=c5bf79590657e32554c6683296a8e8aa
I do not use WINRAR myself and can’t determine whether it is accurate but it is reported at the following article that “Apparently, there’s no automatic update system in the WinRAR software, so you need to download the new installer and run it yourself to replace an old version.”
Re : https://nakedsecurity.sophos.com/2023/08/23/using-winrar-be-sure-to-patch-against-these-code-execution-bugs/
HTH.
No unrar.dll neither unrar64.dll have been found in my system, so no third party programs are affected here. However the version 6.23 has fixed the issue, so the first thing is to update WinRAR as soon as possible as well. It’s a big problem because we can’t know how many users will be in troubles in the future, because there are not automatic updates by the way. :S
In response to “https://www.ghacks.net/2023/08/24/winrar-security-issue-more-wide-reaching-than-thought/”
Most mod managers for PC games use the unrar.dll.