CVE-2022-30333 Detection: New Security Hole in the UnRAR Utility

The US Critical Infrastructure Security Agency (CISA) expands its catalog of Known Exploited Vulnerabilities by documenting several new actively exploited directory traversal flaws. The bugs in question are an RCE flaw tagged CVE-2022-34713 and a path traversal vulnerability filed under CVE-2022-30333. Microsoft has acknowledged that a CVE-2022-34713 vulnerability is a variant of the Follina-like DogWalk path traversal security hole in the Microsoft Windows Support Diagnostic Tool revealed earlier this summer.

Another flaw tracked as CVE-2022-30333 resides in Linux and Unix versions of the UnRAR utility. Adversaries trigger the vulnerability by luring victims into opening a weaponized RAR archive.

Both high-severity flaws are exploited in the wild.

Detect CVE-2022-30333

To minimize the possible breach impact on your organization, utilize the following Sigma rule released by a team of keen Threat Hunting Engineers from SOC Prime:

Suspicious JSP File Upload After AV Service Configuration On Zimbra Email Server (via file_event)

This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Chronicle Security, Elastic Stack, Splunk, Sumo Logic, ArcSight, QRadar, Humio, Microsoft Defender for Endpoint, CrowdStrike, FireEye, Carbon Black, LogPoint, Graylog, Regex Grep, RSA NetWitness, Snowflake, Apache Kafka ksqlDB, Securonix, AWS OpenSearch.

The Sigma rule above is aligned with the MITRE ATT&CK® framework v.10, addressing the Persistence tactic and Server Software Component (T1505) technique.

Non-registered users can browse through the collection of Sigma rules available via Search Engine – a one-stop shop for threat intelligence and SOC content. Press the Explore Threat Context button to take your detection routine to the next level.

SOC professionals are welcome to register to the SOC Prime Platform and get a free Community subscription plan. Hit the Detect & Hunt to access an exhaustive collection of detection algorithms aligned with 26+ SIEM, EDR, and XDR solutions.

Detect & Hunt Explore Threat Context

CVE-2022-30333 Description

The CVE-2022-30333 issue analysis first appeared in the research shared by SonarSource in June 2022. Based on the observed attacks, adversaries leverage this File Write vulnerability for RCE attacks to compromise a Zimbra email server, with more than 62,000 Internet-facing hosts. The flaw enables a threat actor to write to files during an extract operation. Given an exploitation attempt was successful, a threat actor receives access to all the emails stored on a compromised email server. This level of access with high probability results in further exploits and access to more sensitive data.

The RarLab have released an official patch to address the security flaw. The fix is included with the binaries of the 6.12 version (open source version 6.1.7), available for download from the official vendor’s website. According to the vendor, all WinRAR versions remain unaffected by this flaw.

Register on the SOC Prime’s platform to access the vast pool of verified detection algorithms with translations to more than 26 vendor-specific SIEM, EDR, and XDR formats. Accurate and timely detection is key to organizing efficient SOC 24/7/365 while your engineers can take up more advanced tasks.