New UnRAR vulnerability could lead to Zimbra webmail hack

A new flaw has been discovered in RARlab’s UnRAR utility that could be exploited to steal emails from individual Zimbra email user accounts.

Path traversal vulnerability, found in Unix versions of UnRAR, has been attributed CVE-2022-30333 and a base score of 7.5 in the Common Vulnerability Scoring System (CVSS).

For context, Zimbra is an enterprise email solution used by over 200,000 businesses, governments, and financial institutions.

Sonar security researchers were reportedly the first to discover the UnRAR bug and issued an advisory about it on Tuesday.

“We have discovered a 0-day vulnerability in the UnRAR utility, a third-party tool used in Zimbra,” the document reads.

The flaw would allow an attacker to create files outside of the target extraction directory when a victimized application or user extracts an untrusted archive.

“If they can write to a known location, they will likely be able to exploit it in a way that leads to the execution of arbitrary commands on the system,” Sonar wrote.

According to the advisory, a successful exploit would allow attackers to access all emails sent and received on a compromised email server.

“They can silently access backdoor login features and steal user credentials from an organization. With this access, they are likely to be able to escalate their access to even more sensitive internal services of an organization.

The only requirement for this attack is that UnRAR has been installed on the server, which Sonar says is likely as it is needed for RAR archive virus scanning and spam checking.

Sonar reportedly notified RarLab of the flaw on May 04, and the company released a patch on May 06 as part of version 6.12. Other versions of the software, including those for Windows and Android operating systems, are not affected by the vulnerability.

The fix comes nearly a year after Zimbra was mentioned in a joint US and UK government report identifying the company as a possible target for Russian spies.