Exploitation of CVE-2023-38831 in WinRAR

RARLabs WinRAR file extension spoofing exploit seen in the wild

Threat ID:: CC-4370
Threat Severity:: Medium
Published:: 25 August 2023 10:29 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

RARLabs WinRAR file extension spoofing exploit seen in the wild

Affected platforms

The following platforms are known to be affected:

Versions: all prior to 6.23

RARLabs WinRAR

Threat details

Introduction

A high-severity zero-day vulnerability within RARLabs WinRAR has been identified by Group-IB Threat Intelligence. CVE-2023-38831 is a file extension spoofing vulnerability.

An attacker could exploit this vulnerability by creating a modified RAR or ZIP archive containing malicious files, which could lead to arbitrary code execution.

Exploitation of CVE-2023-38831

CVE-2023-38831 has been observed being exploited in the wild from April to August 2023.

Remediation advice

Affected organisations are encouraged to install the latest version of RARLabs WinRAR.

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2023-38831

RARLabs WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. This was exploited in the wild in April through August 2023.

Last edited: 20 November 2023 1:58 pm