WinRAR Zero-Day Exposes Supply Chain Weakness

Greg Lambert
August 23, 2023
3 minutes

A few years ago (at a security conference) I was surprised to hear from a very respected security professional that their biggest fear (in answer to what kept them awake at night) was supply chain compromises.

They were of course both very right and prescient, as almost the very next day we experienced one of the first WinRaR (common file compression utility) was compromised with the following vulnerability:

CEV-2018-20250: In WinRaR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path.

This particular vulnerability led to complete control of the compromised system. And then a year later, while working with one of the Microsoft teams (MSRC) we discovered that another vulnerability in WinRAR had exposed another 500 million users to an remote code execution vulnerability (RCE). This was really well documented in a Checkpoint blog entry found here.

And now today, we have discovered the following (very serious) security vulnerability in that very same compression tool (WinRAR) with:

RARLabs WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. This was exploited in the wild in April through August 2023

The reason I mention this particular vulnerability (through it is both timely and very important) is that your application packages may contain these JPG files. And, you may not have updated your version of WinRaR to the latest (ahem) secure version. If you cannot scan your application packages for these JPG files, then you may be re-infecting your platform with each application deployment.

As a practice now, all organizations must now adopt a rapid update process for both Windows OS (and Office) patches and 3rd party applications that includes:

  1. Application Packaging repository scanning and assessment.
  2. Rapid application packaging and deployment.
  3. Compliance with packaging, industry, and local installation standards.
  4. Integrated testing, with QA and work-flow documentation.
  5. Support for application UNINSTALL and then application updates.

Yes – you need to ABSOLUTELY ensure that you remove that old version from your target platforms. If that old version, or ANY piece or component of that old application installation is on your platform (any device, anywhere), then your system has been compromised. Period.

If anyone ever anyone ever says, “Hey, we don’t need to worry about uninstalls”, you now have a handy link to share.

Greg Lambert

CEO, Product Evangelist
Greg Lambert is the CEO and product evangelist for Application Readiness Inc. Greg is a co-founder of ChangeBASE and has considerable experience with application packaging technology and its deployment.

Planning business modernization projects?

  • Windows 10/11 migration
  • MS server 2022
  • Migration to Azure

Is your application estate ready?

Assurance.

Unbounded.

3 months of patch protection, assessments and dependency reports for your entire portfolio.

  • No cost
  • No limit of applications
  • No software needed
  • No infrastructure required
  • No obligation
Contact us to get started