Think you have a false positive on this rule?

Sid 1-49292

Message

FILE-OTHER WinRAR ACE remote code execution attempt

Summary

This event is generated when an ACE archive that exploits the vulnerability outlined in CVE-2018-20250 is detected.

Impact

Remote Code Execution

CVE-2018-20250:

CVSS base score 7.8

CVSS impact score 5.9

CVSS exploitability score 1.8

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Detailed information

CVE-2018-20250: By crafting the filename field of the ACE format, the destination folder (extraction folder) is ignored, and the relative path in the filename field becomes an absolute Path. This logical bug, allows the extraction of a file to an arbitrary location which is effectively code execution.

Affected systems

  • rarlab winrar 5.61

Ease of attack

CVE-2018-20250:

Access Vector

Access Complexity

Authentication

False positives

False negatives

Corrective action

Contributors

  • Cisco Talos Intelligence Group

Additional References

  • attack.mitre.org/techniques/T1060