Risk | Low |
Patch available | YES |
Number of vulnerabilities | 4 |
CVE-ID | CVE-2018-20250 CVE-2018-20251 CVE-2018-20252 CVE-2018-20253 |
CWE-ID | CWE-264 CWE-787 |
Exploitation vector | Local |
Public exploit |
Vulnerability #1 is being exploited in the wild. Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #3 is available. Public exploit code for vulnerability #4 is available. |
Vulnerable software Subscribe |
WinRAR Client/Desktop applications / Software for archiving |
Vendor | RARLAB |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
EUVDB-ID: #VU17468
Risk: Low
CVSSv3.1: 8.4 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID: CVE-2018-20250
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: Yes
DescriptionThe vulnerability allows a local attacker to gain elevated privileges.
The vulnerability exists due to a logical bug. A local attacker can craft the filename field of the ACE format, cause the destination folder (extraction folder) to be ignored, and the relative path in the filename field to become an absolute Path, extract a file to an arbitrary location and execute arbitrary code with elevated privileges.
MitigationUpdate to version 5.70 Beta 1.
Vulnerable software versionsWinRAR: 4.00 - 5.61
External linkshttp://www.win-rar.com/whatsnew.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted archive.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
EUVDB-ID: #VU17469
Risk: Low
CVSSv3.1: 7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-20251
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: Yes
DescriptionThe vulnerability allows a local attacker to gain elevated privileges.
The vulnerability exists due to a validation function (in WinRAR code) that inspects the filename field for each compressed file in the ACE archive is being called before extraction of ACE archives. The extraction operation should be aborted and no file or folder should be extracted. However, the check of the return value from the validator function made too late (in UNACEV2.dll), after the creation of files and folders. A local attacker can disallow the filename by the validator function (for example, the filename contains path traversal patterns) and gain elevated privileges.
MitigationUpdate to version 5.70 Beta 1.
Vulnerable software versionsWinRAR: 4.00 - 5.61
External linkshttp://www.win-rar.com/whatsnew.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted archive.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU17470
Risk: Low
CVSSv3.1: 7.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-20252
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: Yes
DescriptionThe vulnerability allows a local attacker to gain elevated privileges.
The vulnerability exists due to out-of-bounds write during parsing of crafted ACE and RAR archive formats. A local attacker can supply specially crafted input, trigger memory corruption and execute arbitrary code with elevated privileges.
MitigationUpdate to version 5.70 Beta 1.
Vulnerable software versionsWinRAR: 4.00 - 5.61
External linkshttp://www.win-rar.com/whatsnew.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted archive.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU17819
Risk: Low
CVSSv3.1: 7.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-20253
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: Yes
DescriptionThe vulnerability allows a local attacker to gain elevated privileges.
The vulnerability exists due to out-of-bounds write during parsing crafted LHA / LZH archive formats. A local attacker can supply specially crafted input, trigger memory corruption and execute arbitrary code with elevated privileges.
MitigationUpdate to version 5.70 Beta 1.
Vulnerable software versionsWinRAR: 4.00 - 5.60
External linkshttp://www.win-rar.com/whatsnew.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted archive.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.