A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. The flaw stems from the way WinRAR processes alternate data streams (ADSes) within specially crafted archive files. 

By embedding malicious payloads in ADSes and manipulating file paths, an attacker can trick WinRAR into extracting files outside the user’s intended directory. 

This is particularly dangerous due to it only requiring minimal user interaction and can bypass typical user awareness. 

CVSS Score: 8.4 – High  

Exploited as zero-day in attacks: 

The flaw has been linked to Russian-aligned hacking group RomCom, also tracked as Storm-0978. Who are known for both financially motivated operations and cyberespionage. In this campaign, RomCom specifically targeted financial, defense, manufacturing, and logistics companies in Europe and Canada. 

Recommendation

As WinRAR does not include an auto-update feature, it is strongly advised that all users manually download and install the latest version from win-rar.com so they are protected from this vulnerability. 

Released WinRAR 7.13 security update reads: 

Another directory traversal vulnerability, differing from that in WinRAR 7.12, has been fixed. 

When extracting a file, previous versions of WinRAR, Windows versions of RAR, UnRAR, portable UnRAR source code and UnRAR.dll can be tricked into using a path, defined in a specially crafted archive, instead of user specified path. 

Unix versions of RAR, UnRAR, portable UnRAR source code and UnRAR library, also as RAR for Android, are not affected. 

Reference: 

 

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

 

Contact Us