⚠ Actively exploited in ransomware campaigns

This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-08-15.

CVE-2018-20250 — Absolute Path Traversal in Winrar

CWE-36 — Absolute Path Traversal CWE-22 — Path Traversal14 documents11 sources

Severity

7.8HIGHNVD

EPSS

93.5%

top 0.18%

CISA KEV

KEVRansomware

Added 2022-02-15

Due 2022-08-15

Exploit

Exploited in wild

Active exploitation observed

Affected products

Rarlab Winrar Check Point Software Technologies LTD Winrar

Timeline

PublishedFeb 5

KEV addedFeb 15

Latest updateMay 13

KEV dueAug 15

CISA Required Action: Apply updates per vendor instructions.

Description

In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶NVDrarlab/winrar5.61

▶CVEListV5check_point_software_technologies_ltd/winrarAll versions prior and including 5.61

🔴Vulnerability Details

GHSA

GHSA-7v9q-j964-43qc: In WinRAR versions prior to and including 5↗2022-05-13

▶

CVEList

CVE-2018-20250: In WinRAR versions prior to and including 5↗2019-02-05

▶

VulnCheck

WinRAR Absolute Path Traversal Vulnerability↗2018

▶

💥Exploits & PoCs

Exploit-DB

RARLAB WinRAR 5.61 - ACE Format Input Validation Remote Code Execution (Metasploit)↗2019-04-25

▶

Exploit-DB

WinRAR 5.61 - Path Traversal↗2019-02-22

▶

🔍Detection Rules

Suricata

ET EXPLOIT WinRAR WinAce Containing CVE-2018-20250 Inbound - Path Traversal leading to RCE↗2019-05-01

▶

YARA

CVE_2018_20250↗

▶

📋Vendor Advisories

CISA

WinRAR Absolute Path Traversal Vulnerability↗2022-02-15

▶

🕵️Threat Intelligence

Fortinet

Tricky Chinese-Targeted Trojan Bypasses Authentication↗2019-08-07

▶

Microsoft

Analysis of a targeted attack exploiting the WinRAR CVE-2018-20250 vulnerability | Microsoft Security Blog↗2019-04-10

▶

Tenable

WinRAR Absolute Path Traversal Vulnerability Leads to Remote Code Execution (CVE-2018-20250)↗2019-02-25

▶