• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos1 Stats

Detection of recent WinRAR vulnerability (CVE-2018-20250)

It looks like, even with the latest definitions installed, Norton Security is not detecting specially crafted archives used to exploit the recent WinRAR vulnerability (CVE-2018-20250).  I ran LiveUpdate, then downloaded and extracted the archive from CheckPoint's POC, and the exploit performed as expected, without so much as a peep from Norton.

Unfortunately, because WinRAR's response to this vulnerability was to drop support for the ACE format completely (see note 17), and I still have ACE format archives that I need to be able to access, upgrading to the new version of WinRAR is not an option for me.

I would like to be able to rely on Norton to mitigate this threat.  What are the plans to issue an update to allow Norton Security to detect it?

Thanks.

Replies

Kudos0

Re: Detection of recent WinRAR vulnerability (CVE-2018-20250)

The crux of the issue with WinRAR and ACE formats lies with a third party library source code. I submitted 1.rar to Virustotal and have the following results. Almost NONE of the upper tier A/V vendors are detecting these 15 vulnerabilities found in the Norton SafeWeb full site report

WinRAR used this third party library to unpack ACE archives. UNACEV2.DLL had not been updated since 2005 and we do not have access to its source code. So we decided to drop ACE archive format support to protect security of WinRAR users.        

@Sunil_GA 

"From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows 10 Home / Professional x 64 version 1903 / build 18362.116 / N360 Deluxe 22.17.1.50 / Norton Core v.282 on Android 1.98
Kudos4 Stats

Re: Detection of recent WinRAR vulnerability (CVE-2018-20250)

Hello.

The following article will be of interest:

https://us.norton.com/online-threats/exp.cve-2018-20250-2019-030106-2440...

Kudos0

Re: Detection of recent WinRAR vulnerability (CVE-2018-20250)

Hoping an admin will chime into the thread with a definite answer about detection. It appears that the only viable solution is upgrading to the newer version of WinRAR to mitigate the vulnerability. I personally use 7-zip, although it also has its own "landing zone" for possible code execution issues it also doesn't support the ACE file format due to the lack of the UNACEV2.DLL shared library not being updated. It was "abandoned" in 2006 as stated here. Most all other software which can read and unpack ACE files are also restricted to the same shared DLL file which they will use as a plugin or embed into their program. Therefore are vulnerable.

Cheers

"From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows 10 Home / Professional x 64 version 1903 / build 18362.116 / N360 Deluxe 22.17.1.50 / Norton Core v.282 on Android 1.98
Kudos0

Re: Detection of recent WinRAR vulnerability (CVE-2018-20250)

I updated my definitions today, and it looks like Norton now detects and blocks downloads of archives that match this signature through Browser Protection, but if the archive is already downloaded, and I attempt to extract it, there is no detection.  Since this vulnerability has technically been in the software for 14 years, it's important that already-downloaded archives also be protected by Norton.

Kudos0

Re: Detection of recent WinRAR vulnerability (CVE-2018-20250)

amloessb. Are your archives all OFF-SITE requiring download? IDS has added a signature to detect the vulnerability in the data stream (download) as you stated. The IDS update was a heuristic detection for files attempting to exploit the WinRAR Multiple Security Vulnerabilities (CVE-2018-20250).
The most important thing to keep in mind is that ANY malware using this attack vector is detectable anyway. IF The POC file had contained an actual threat it would have been detected.

The biggest question is, if Norton were to explicitly scan compressed archives locally for this vulnerability, and find it in an archive that has no known threats. With the file having resided on the computer for years, what suggested actions should be taken by Norton to resolve during the unpacking processes? If the only remediation option possible were to deny access to the container/archive, would that be acceptable? Blocking access for no good reason is never a good solution.

Cheers

"From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows 10 Home / Professional x 64 version 1903 / build 18362.116 / N360 Deluxe 22.17.1.50 / Norton Core v.282 on Android 1.98
Kudos0

Re: Detection of recent WinRAR vulnerability (CVE-2018-20250)

I would expect, at the very least, that upon detecting that an archive is attempting to exploit this vulnerability during or before extraction, that Norton would deny access and surface a notification.  This is already what Norton does when, e.g., an executable that it thinks is suspicious is run, so I think it's a reasonable expectation to have.

Kudos0

Re: Detection of recent WinRAR vulnerability (CVE-2018-20250)

Have you performed an insight scan of any archives already downloaded? If so what were those results?

Cheers

"From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows 10 Home / Professional x 64 version 1903 / build 18362.116 / N360 Deluxe 22.17.1.50 / Norton Core v.282 on Android 1.98
Kudos0

Re: Detection of recent WinRAR vulnerability (CVE-2018-20250)

I ran a scan explicitly against CheckPoint's PoC archive just now, and it returned no risks detected.

Scan Statistics:
  Scan Start:
   Local: 2019-03-22 23:44
   UTC: 2019-03-23 06:44
  Scan Time: 0 seconds
  Scan Targets: C:\Scripts\WinRAR ACE vuln\1.rar
  Counts:
   Total items scanned: 4
   - Files & Directories: 4
   - Registry Entries: 0
   - Processes & Startup Items: 0
   - Network & Browser Items: 0
   - Other: 0
   - Trusted Files: 0
   - Skipped Files: 0

   Total security risks detected: 0
   Total items resolved: 0
   Total items that require attention: 0

Resolved Threats:
No risks have been resolved

Unresolved Threats:
No unresolved risks

P.S.: I'd also like to point out that the PoC archive is now being detected by 14 products over on VirusTotal, including some of the bigger vendors, like Kaspersky and McAfee.

Kudos0

Re: Detection of recent WinRAR vulnerability (CVE-2018-20250)

Hello again. The issue IS being worked and this thread monitored by that team so, please, stand by for a possible update to the product for this mutual download and unpacking detection. There isn't a time frame I can give for a fix as is customary with Norton.

In the interim, and its ONLY a thought I might note, has changing from ACE containers by disabling or removing your A/V solution, which should allow you to download your archives to a safe medium aka an external drive. Removing the system involved from internet connectivity and unpacking your archives. Scan the archives with your reactivated / install Norton product for issues. Afterward use a different compression medium that is NOT vulnerable to the CVE and recompress the archives, as way to workaround the problem? I wouldn't want to do this but find it better than not being able to use the archives and their possible loss until a detection is in place.

Cheers

"From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows 10 Home / Professional x 64 version 1903 / build 18362.116 / N360 Deluxe 22.17.1.50 / Norton Core v.282 on Android 1.98
Kudos0

Re: Detection of recent WinRAR vulnerability (CVE-2018-20250)

For various reasons, my existing ACE archives have to remain intact where they are.  I'm not looking for a workaround, just waiting for Norton to detect it properly.

Thanks.

Kudos0

Re: Detection of recent WinRAR vulnerability (CVE-2018-20250)

As soon as something regarding a detection correction is in place, I'm hoping there would be an announcement in the product thread about it. Please watch this post and the product release updates thread for news.

Cheers

"From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows 10 Home / Professional x 64 version 1903 / build 18362.116 / N360 Deluxe 22.17.1.50 / Norton Core v.282 on Android 1.98
Kudos0

Re: Detection of recent WinRAR vulnerability (CVE-2018-20250)

Hello amloessb. Please run live update on your product, run the scan again and let us know what your results are.

Edited: I believe that removal MAY be the only option available.

Cheers

"From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows 10 Home / Professional x 64 version 1903 / build 18362.116 / N360 Deluxe 22.17.1.50 / Norton Core v.282 on Android 1.98
Accepted Solution
Kudos0

Re: Detection of recent WinRAR vulnerability (CVE-2018-20250)

Nice, looks like it detects it as a "Trojan Horse" immediately upon trying to access the archive, blocks said access, and quarantines the file.

Norton is detecting this threat correctly now, so I'll mark this thread as solved.  Thanks.

Kudos0

Re: Detection of recent WinRAR vulnerability (CVE-2018-20250)

Just an added note, the fix, aka "solution" for this detection, came from personal liaison with, another group who created and released the detection solution. Thanks goes out to them for following this issue. Much appreciated.

Cheers

"From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows 10 Home / Professional x 64 version 1903 / build 18362.116 / N360 Deluxe 22.17.1.50 / Norton Core v.282 on Android 1.98
Kudos0

Re: Detection of recent WinRAR vulnerability (CVE-2018-20250)

Update WinRAR Now to Protect Your PC From Attacks -- MARCH 29, 2019

https://www.howtogeek.com/409324/update-winrar-now-to-protect-your-pc-from-attacks/

This thread is closed from further comment. Please visit the forum to start a new thread.