CVE-2019-18408
📋 TL;DR
CVE-2019-18408 is a use-after-free vulnerability in libarchive's RAR archive parsing functionality. When processing specially crafted RAR archives, an attacker could potentially execute arbitrary code or cause a denial of service. This affects any application or system using vulnerable versions of libarchive to extract RAR files.
💻 Affected Systems
- libarchive
- applications using libarchive (e.g., file archivers, backup software, package managers)
📦 What is this software?
Libarchive by Libarchive
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with the privileges of the application using libarchive, potentially leading to full system compromise.
Likely Case
Application crash or denial of service when processing malicious RAR archives.
If Mitigated
Limited to denial of service if exploit attempts are blocked or fail.
🎯 Exploit Status
Exploitation requires the victim to process a malicious RAR file. The vulnerability is in the PPMd compression algorithm handling within RAR archives.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: libarchive 3.4.0 and later
Vendor Advisory: https://access.redhat.com/errata/RHSA-2020:0203
Restart Required: Yes
Instructions:
1. Update libarchive to version 3.4.0 or later using your system's package manager. 2. For Red Hat systems: 'yum update libarchive'. 3. For Debian/Ubuntu: 'apt update && apt install libarchive13'. 4. Restart any services or applications using libarchive.
🔧 Temporary Workarounds
Disable RAR support
linuxRecompile libarchive or applications to disable RAR archive support if not needed.
Configure with --disable-rar during compilation
Block RAR file processing
allUse application-level controls to block or sandbox RAR file processing.
🧯 If You Can't Patch
- Implement strict input validation to reject or sandbox RAR files from untrusted sources.
- Use network segmentation and application firewalls to limit access to systems processing archive files.
🔍 How to Verify
Check if Vulnerable:
Check libarchive version: 'libarchive --version' or 'dpkg -l | grep libarchive' or 'rpm -q libarchive'.Check Version:
libarchive --versionVerify Fix Applied:
Confirm libarchive version is 3.4.0 or higher: 'libarchive --version | grep -E '3\.[4-9]|4\.''.📡 Detection & Monitoring
Log Indicators:
- Application crashes or abnormal termination when processing RAR files
- Error messages related to archive_read_format_rar_read_data
Network Indicators:
- Unusual file transfers of RAR archives to vulnerable systems
SIEM Query:
source="application_logs" AND ("libarchive" OR "rar") AND ("crash" OR "segfault" OR "use-after-free")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00015.html
- https://access.redhat.com/errata/RHSA-2020:0203
- https://access.redhat.com/errata/RHSA-2020:0246
- https://access.redhat.com/errata/RHSA-2020:0271
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14689
- https://github.com/libarchive/libarchive/commit/b8592ecba2f9e451e1f5cb7ab6dcee8b8e7b3f60
- https://github.com/libarchive/libarchive/compare/v3.3.3...v3.4.0
- https://lists.debian.org/debian-lts-announce/2019/10/msg00034.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6LZ4VJGTCYEJSDLOEWUUFG6TM4SUPFSY/
- https://seclists.org/bugtraq/2019/Nov/2
- https://security.gentoo.org/glsa/202003-28
- https://support.f5.com/csp/article/K52144175?utm_source=f5support&%3Butm_medium=RSS
- https://usn.ubuntu.com/4169-1/
- https://www.debian.org/security/2019/dsa-4557
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00015.html
- https://access.redhat.com/errata/RHSA-2020:0203
- https://access.redhat.com/errata/RHSA-2020:0246
- https://access.redhat.com/errata/RHSA-2020:0271
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14689
- https://github.com/libarchive/libarchive/commit/b8592ecba2f9e451e1f5cb7ab6dcee8b8e7b3f60
- https://github.com/libarchive/libarchive/compare/v3.3.3...v3.4.0
- https://lists.debian.org/debian-lts-announce/2019/10/msg00034.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6LZ4VJGTCYEJSDLOEWUUFG6TM4SUPFSY/
- https://seclists.org/bugtraq/2019/Nov/2
- https://security.gentoo.org/glsa/202003-28
- https://support.f5.com/csp/article/K52144175?utm_source=f5support&%3Butm_medium=RSS
- https://usn.ubuntu.com/4169-1/
- https://www.debian.org/security/2019/dsa-4557
