WinRAR ZIP Arbitrary Code Execution Vulnerability (CVE-2023-38831)
Description
What is WinRAR? |
WinRAR is a popular utility tool for file compression/decompression and archive management.
|
What is the Attack? |
CVE-2023-38831 is an arbitrary code execution vulnerability that affects WinRAR before version 6.23. The vulnerability allows threat actors to create a zip file that contains a folder and a file with the same filename. Opening (some refer to this as "viewing") the file launches a malicious script in the folder.
|
Why is this Significant? |
This is significant because WinRAR is widely used and CVE-2023-38831 was reportedly exploited as a 0-day in April 2023. As a result, multiple malware families have reportedly been deployed. FortiGuard Labs strongly recommends all users of WinRAR to update to the latest version of WinRAR as soon as possible. |
What is the Vendor Solution?
|
The vendor has released WinRAR version 6.23 that includes a fix for CVE-2023-38831. |
What FortiGuard Coverage is available? |
FortiGuard Labs has the following AV signatures against the files reportedly used in attacks involving CVE-2023-38831:
W32/Darkme.A!tr W32/NDAoF PossibleThreat.DU W32/VB_AGen.EX!tr W32/ETCH!tr NSIS/Injector.15D3!tr PossibleThreat.FORTIEDR.H W32/PossibleThreat Malicious_Behavior.SB Webfiltering blocks all reported network IOCs. |
✖