External risk intelligence

UnRAR Directory Traversal Vulnerability Affects File Integrity

CVE advisoryKnown Exploit

CVE-2022-30333

A directory traversal vulnerability in RARLAB UnRAR for Linux and UNIX systems allows unauthorized file writing during archive extraction. This can lead to the modification or creation of sensitive files, posing a risk to system integrity and data.

2Halo Surface Signal

Path Traversal

Rarlab Unrar

before 6.1210.0

External exposure likelihood

Halo Surface Signal score for CVE-2022-30333

UnRAR is a command-line utility typically used for local file processing or as a backend component in various applications. While it can be invoked by internet-facing services to process user-provided archives, the utility itself is not an internet-exposed service, listener, or gateway, and its usage is generally context-dependent rather than inherently public-facing.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Horizon Alert

Summary of the vulnerability and why it matters

RARLAB UnRAR software on Linux and UNIX systems is susceptible to a directory traversal flaw. This vulnerability allows unauthorized access to write to files during an extraction process. The potential business impact includes unauthorized modification or creation of sensitive files.

  • Vulnerable: RARLAB UnRAR on Linux/UNIX
  • Flaw: Directory traversal during extraction
  • Impact: Unauthorized file writing

Attack Path

How an attacker could exploit the issue

An attacker can exploit a directory traversal vulnerability in RARLAB UnRAR for Linux and UNIX. This vulnerability allows an attacker to write files to arbitrary locations on a system by manipulating the archive extraction process. The successful exploitation of this vulnerability could enable an attacker to gain unauthorized access or modify critical system files.

  • Archive extraction without proper validation.
  • Attacker provides a specially crafted archive.
  • Arbitrary file write and system control.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows an attacker to write to arbitrary files on a system by exploiting a directory traversal flaw during the extraction of RAR archives. Exploitation could lead to unauthorized data modification or the compromise of system security, such as by creating a malicious SSH authorized keys file. The broad impact and the possibility of remote exploitation suggest that organizations should prioritize addressing this vulnerability.

  • Attackers with low skill.
  • No access or conditions needed.
  • High business risk or urgency.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability allows unauthorized file creation on Linux and UNIX systems when processing RAR archives. Attackers can exploit this to gain elevated access by creating sensitive files, such as SSH authorized keys. This poses a significant risk to organizational systems and data integrity.

  • Find systems using UnRAR.
  • Restrict UnRAR access.
  • Update UnRAR and confirm.

Frequently asked questions

What is RARLAB UnRAR and how is it used on Linux and UNIX?

RARLAB UnRAR is a command-line utility primarily used on Linux and UNIX systems for extracting files from RAR archives. It's often employed for managing compressed data or as a component within other applications that handle archive operations.

What kind of weakness does CVE-2022-30333 represent in UnRAR?

CVE-2022-30333 is a directory traversal vulnerability, identified as CWE-22. This weakness allows an attacker to bypass security controls and access files or directories that they should not be able to reach during an extraction process.

What preconditions are needed for an attacker to exploit CVE-2022-30333?

An attacker can exploit this vulnerability by tricking a user or system into extracting a specially crafted RAR archive. No special access or conditions are required for the attacker to initiate the exploit; the vulnerability lies within the extraction process itself.

Who should be concerned about CVE-2022-30333, considering its exposure?

Organizations using RARLAB UnRAR on Linux and UNIX should be concerned. While UnRAR itself is not typically an internet-facing service, it can be invoked by internet-facing applications to process archives. If such an application is affected, it could lead to unauthorized file modifications.

What are the first steps for someone running this technology?

If you are running affected versions of UnRAR on Linux or UNIX, you should identify all systems where it is used. Subsequently, restrict access to the UnRAR utility where possible and prioritize updating to version 6.12 or later to mitigate the risk.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified