Fixing WinRAR RCE (CVE-2018-20250) using SanerNow (Exploited in the Wild)

    Follow

    Overview:
    A 19 year old vulnerability CVE-2018-20250 is recently discovered by Check Point Research in WinRAR versions 5.61 or earlier. A Path traversal vulnerability exists in UNACEV2.DLL component used to extract the old and rarely used ACE archive format. 

    This vulnerability allows attackers to completely take control of their target system by tricking the victim into opening a maliciously-crafted archive. Once the victim opens malicious archive file an executable file gets extracted to one of the Windows Startup folders, where the malicious file would automatically run on the next system reboot.

    This vulnerability is been actively exploited by the attackers and malware such as JNEC.a Ransomware. For more info please refer our blog

     

    CVSS v3.0 Severity and Metrics:
    Base Score: 7.8 HIGH

    CVSS v2.0 Severity and Metrics:
    Base Score: 6.8 MEDIUM

     

    Affected software:
    All WinRAR versions through 5.61.

     

    Solution:

    To address this vulnerability vendor released the next version by dropping support for unpacking ACE archives by removing ‘UNACEV2.dll’ from the package. For more info please refer our blog

    We can use SanerNow platform to apply this critical vulnerability quickly across the organization as shown in the below diagrams.

    NOTE: This vulnerability is been actively exploited by the attacker to break into the system, hence consider applying the solution immediately. 


    SanerNow: Vulnerability detection and patching of WinRAR:

     

    1. Login to SanerNow platform

    2. Switch to the account/site specific view and Go to 'VM tool' 

    3. WinRar CVE-2018-20250 vulnerability will be listed in 'Top Vulnerabilities' or 'Recently Discovered Vulnerabilities' as shown in the below diagram

    before_patch.png

     

    4. Search for this vulnerability in VM tool. If you are affected, apply the patch through PM -> Missing Patches

    5. Select 'Groups/Devices' in the 'Asset Source' section and click 'Apply'.

    6. Select the 'WinRAR' product from the 'Asset' section as shown in the below diagram.

    remjob.png

     

    7. Select 'Apply Selected Patches' at the rightmost corner. This will prompt for 'Creating Patching Task'. Fill in 'Task Name' and 'Remediation Schedule' as per your preference and click on 'Apply Selected Patches' as shown below,

    job.png

     

    8. Remediation job will be created, which will fix the vulnerability by upgrading WinRAR to latest.

    9. Once remediation is done, the Saner agent automatically scans again and upload the result to SanerNow as shown below,

    afterpatch.png

    Was this article helpful?
    0 out of 0 found this helpful

    Comments