In April 2023, researchers found zero day vulnerabilities in the WinRAR utility that make it possible for remote attackers to install malware on victims’ computers. The vulnerabilities have been assigned CVE-2023-40477 and CVE-2023-38831 by the National Vulnerability Database (NVD). An update to the utility effectively prevents execution of an exploit. In this post, we show how customers can use Axonius to identify instances of vulnerable versions of WinRAR in their environments, visualize, alert, and report on remediation efforts.
What Are the Zero-Day WinRAR Vulnerabilities CVE-2023-40477 and CVE-2023-38831?
From the August 24, 2023 release notes for WinRAR 6.23:
- Critical Bug: CVE-2023-40477. The vulnerability allows remote attackers to execute arbitrary code on affected installations. User interaction is required to exploit this vulnerability. This is fixed in the RAR4 recovery volume processing code.
- Critical Bug: CVE-2023-38831. A vulnerability was discovered in the processing of ZIP format. Attackers could utilize affected archives to distribute malware. User interaction is required to exploit this vulnerability.
How Can Customers Use Axonius to Identify Systems Impacted by CVE-2023-40477 and CVE-2023-38831?
In the video we show how customers use Axonius to identify instances of vulnerable versions of WinRAR in their environments, visualize vulnerable systems, alert on vulnerable systems and report on remediation efforts.
Researching Reported CVEs with the Axonius Vulnerabilities Page
This page shows all the vulnerabilities defined as CVEs by NVD whether discovered or not. The Vulnerability Repository enables you to explore and manage vulnerabilities even before they surface - using a proactive approach. Customers can search directly by Vuln ID using the CVE ID or take a more broad approach searching the CVE description for WinRAR. Sorting by NVD published date, we can see one of the two CVEs. The second CVE has yet to be published by NVD.
For most vulnerabilities, we can analyze a vulnerability directly with a CVE or indirectly by analyzing software version information. We can quickly build two queries to account for both options. This will assist in creating dashboard and reporting content. In Vulnerabilities, we will query for the two relevant CVEs. In Software, we will look for installed software names starting with WinRAR with versions before 6.23. Note, we use a complex query to tie software version information to a software name. Then, we will look at the vulnerability context with the two CVEs.
and
Visually Representing Vulnerabilities with the Axonius Asset Graph
The Axonius Asset Graph is a visual representation of the connections between the assets in a customer's inventory. For the WinRAR vulnerability, we can analyze affected installed software versions before the patch was released. By identifying affected software, we can proactively identify risk in the environment before a vulnerability tool reports the vulnerability. For this vulnerability, we will query WinRAR versions before 6.23. Then, we will select Connections and Devices from the menu. Finally, I segment by “Preferred OS Distribution” to better understand the affected devices. If you need to contact associated users for Server 2022 devices, left-click and go to Connections and Users. The Preview option provides user information.
Automating Alerts with Axonius Findings
Axonius Findings supports all query and entity types - assets and system events. The Rules manager allows customers to alert teammates, executives, other business units and collaborators, and more based on single query criteria thresholds, query comparison, or timeline comparisons. For the WinRAR example, we will use a single query criteria threshold to alert when a vulnerable software version or CVE ID is found. Coupled with the Enforcement Center, customers can also send alerts outbound from Axonius utilizing any of the options from the Notify Actions menu including email, Slack message, or S3 bucket.
Creating Reports and Dashboards
Finally, we can create an executive level dashboard which can be sent out periodically as a report. Trending charts track remediation efforts. Field segmentation charts let us understand the footprint of the vulnerability. Once a dashboard is built, creating a report is simple. Select the dashboard, enter a few details, and the data will be delivered on-demand.
For more documentation on using Axonius to find systems impacted by CVEs, visit docs.axonius.com