The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a recently disclosed security flaw in the UnRAR utility to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
Tracked as CVE-2022-30333 (CVSS score: 7.5), the issue concerns a path traversal vulnerability in the Unix versions of UnRAR that can be triggered upon extracting a maliciously crafted RAR archive.
This means that an adversary could exploit the flaw to drop arbitrary files on a target system that has the utility installed simply by decompressing the file. The vulnerability was revealed by SonarSource researcher Simon Scannell in late June.
“RARLAB UnRAR on Linux and UNIX contains a directory traversal vulnerability, allowing an attacker to write to files during an extract (unpack) operation,” the agency said in an advisory.
Although the flaw affects any Linux application that uses UnRAR to extract an archive file, a successful exploitation of the flaw can have a significant impact against Zimbra, granting an attacker complete access to the email server.
In a follow-up analysis published last month, Rapid7 said a vulnerable Zimbra host can be exploited by an adversary by sending an email containing a rogue RAR file and without requiring any user interaction, since the service automatically extracts archives attached to incoming emails to inspect them for spam and malware.
The security hole was patched by WinRAR developer Rarlab on May 6. Zimbra addressed the issue on June 14 in 9.0.0 patch 25 and 8.5.15 patch 32 by replacing UnRAR with 7z.
Not much is known about the nature of the attacks, but the disclosure is evidence of a growing trend wherein threat actors are quick to scan for vulnerable systems after flaws are publicly disclosed and take the opportunity to launch malware and ransomware campaigns.
On top of that, CISA has also added CVE-2022-34713 to the catalog after Microsoft, as part of its Patch Tuesday updates on August 9, revealed that it has seen indications that the vulnerability has been exploited in the wild.
Said to be a variant of the vulnerability publicly known as DogWalk, the shortcoming in the Microsoft Windows Support Diagnostic Tool (MSDT) component could be leveraged by a rogue actor to execute arbitrary code on susceptible systems by tricking a victim into opening a decoy file.
Federal agencies in the U.S. are mandated to apply the updates for both flaws by August 30 to reduce their exposure to cyberattacks.