CVE-2022-30333: 
WinRAR vulnerability analysis and mitigation

RARLAB UnRAR before version 6.12 on Linux and UNIX systems contains a directory traversal vulnerability (CVE-2022-30333) that allows attackers to write files outside of the target extraction directory during an unpack operation. The vulnerability was discovered in May 2022 and notably affects Zimbra Collaboration Suite servers where UnRAR is used for virus scanning and spam checking of email attachments. WinRAR and Android RAR versions are not affected by this vulnerability (SonarSource, NVD).

The vulnerability stems from improper validation of symbolic links in RAR archives. When processing archives created on Windows systems, the UnRAR code converts backslashes to forward slashes after performing security checks, which allows attackers to bypass path traversal protections. This can be exploited by crafting a malicious RAR archive containing a symbolic link of type FSREDIR_WINSYMLINK with a specially crafted target path. The vulnerability has a CVSS v3.1 base score of 7.5 (High) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (NVD, SonarSource).

When exploited, this vulnerability allows attackers to write files to arbitrary locations on the target system, such as creating a ~/.ssh/authorized_keys file. In the context of Zimbra servers, successful exploitation could give attackers access to all emails on the compromised server, ability to steal user credentials, and potential access to more sensitive internal services (SonarSource).

The official fix is included in UnRAR version 6.12, released by RarLab. Zimbra has addressed this issue by configuring Amavis to use 7zip instead of UnRAR for extracting RAR attachments. Organizations are strongly recommended to upgrade to the patched version immediately, even if their web server and mail server are on different physical machines (SonarSource, RarLab).