With the severity rating of the vulnerability decreasing to 7.8 according to CVSS (since a target must deceive a victim into opening an archive to exploit it), CVE-2023-40477 could easily be dismissed as irrelevant by cyber security professionals who are well aware of the possible risk of opening any type of file and the need to do so responsibly.
However, when considering practicality, even though execution would require user interaction, convincing users to carry out the necessary action, in this case, should not prove too difficult considering the extensive size of WinRAR’s user community among both private and corporate users as file archiving software.
This means attackers might find numerous chances for successful exploitation and it is the security professional’s responsibility to inform all members of their organizations of this flaw.
Here’s everything you need to know.
What is CVE-2023-40477?
WinRar developers have fixed a critical code execution vulnerability (CVE-2023-40477) in the software, that could allow attackers to execute arbitrary code on the victim’s target system with only opening a compromised archive file. Users who use WinRAR should install the latest version 6.23.
WinRAR is a Windows-based file archiving software relied upon by millions of users. This program serves the purpose of creating archives in both RAR and ZIP file formats, as well as facilitating the viewing and extraction of various archive file formats. WinRAR offers the capability to generate encrypted archives, multi-part archives, and self-extracting archives. Additionally, it enhances user confidence by embedding CRC32 or BLAKE2 checksums for every file within each archive, enabling users to verify the integrity of their archived data.
Initially detected by a researcher known as “goodbyeselene” from the Zero Day Initiative, exploiting CVE-2023-40477 could allow remote attackers to execute arbitrary code on targeted systems by exploiting a specially crafted RAR file when opened on affected installations of RARLAB WinRAR.
The vulnerability is present in the handling of recovery volumes and arises due to inadequate validation of data provided by the user. This flaw may result in unauthorized memory access extending beyond the allocated buffer’s boundaries. An attacker could leverage this vulnerability to execute code within the current process’s context.
Does CVE-2023-40477 affect me?
The root of the issue arises due to the absence of thorough data validation provided by users. This lack of validation can result in a situation where memory access exceeds the allocated buffer’s boundaries, creating an opportunity for cyber attackers. Exploiting this weakness allows a malicious actor to execute code within the current process.
WinRAR has already taken swift action to resolve this alarming issue. In the most recent release, WinRAR 6.23, the CVE-2023-40477 vulnerability has been effectively remedied.
Has CVE-2023-40477 been actively exploited in the wild?
The weakness was shared 08/18/2023 as ZDI-23-1152 and an advisory is publicly available at zerodayinitiative.com. The vulnerability has been identified as CVE-2023-40477 since August 14th 2023. Technical details are unknown and an exploit is not publicly available.
How to fix CVE-2023-40477
RARLAB rolled out WinRAR version 6.23 on August 2nd, 2023, effectively resolving CVE-2023-40477. It is strongly recommended that WinRAR users promptly apply this available security update.
In addition to fixing the RAR4 recovery volumes processing code, version 6.23 also tackles another significant issue related to specially crafted archives, which could lead to incorrect file initialization. This issue is also categorized as high-severity.
Also important to note is that Microsoft is presently testing native support for RAR, 7-Zip, and GZ file formats on Windows 11. This development implies that third-party software like WinRAR will no longer be necessary in this version unless users specifically require its advanced features.
For those who continue to rely on WinRAR, it is imperative to keep the software updated. In the past, hackers have exploited similar vulnerabilities to infiltrate systems with malware.
This is also a great opportunity to remind users in your organizations to take steps that protect them from this vulnerability by being aware and careful with the files they open and run, keep their operating system and other software up to date, use a firewall to block malicious traffic and effective antivirus programs.
Next steps
Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors:
