New UnRAR Vulnerability Could Lead to Zimbra Webmail Hack

A new flaw has been discovered in RARlab’s UnRAR utility that could be exploited to steal emails from individual Zimbra mail user accounts.

The path traversal vulnerability, found in the Unix versions of UnRAR, has been assigned CVE-2022-30333 and a base score of 7.5 in the Common Vulnerability Scoring System (CVSS).

For context, Zimbra is an enterprise email solution used by over 200,000 businesses, government and financial institutions.

Security researchers from Sonar were reportedly the first to discover the UnRAR bug and released an advisory about it on Tuesday.

“We discovered a 0-day vulnerability in the UnRAR utility, a 3rd party tool used in Zimbra,” reads the document.

The flaw would allow an attacker to create files outside the target extraction directory when an application or victim user extracts an untrusted archive. 

“If they can write to a known location, they are likely to be able to leverage it in a way leading to the execution of arbitrary commands on the system,” wrote Sonar.

According to the advisory, successful exploitation would give attackers access to all emails sent and received on a compromised email server.

“They can silently backdoor login functionalities and steal the credentials of an organization’s users. With this access, it is likely that they can escalate their access to even more sensitive, internal services of an organization.”

The only requirement for this attack is that UnRAR was installed on the server, which Sonar said would be likely as it is required for RAR archive virus scanning and spam-checking.

Sonar reportedly warned RarLab about the flaw on May 04, and the company released a patch on May 06 as part of version 6.12. Other versions of the software, including those for Windows and Android operating systems, are not impacted by the vulnerability.

The fix comes almost a year after Zimbra was mentioned in a joint US and UK government report identifying the company as a possible target of Russian spies.