Versions through 9.0.4 of the Ghidra software reverse engineering (SRE) framework are impacted by a code-execution vulnerability, the National Security Agency (NSA) has revealed.
Developed by the NSA’s Research Directorate for the agency’s cybersecurity missions, Ghidra is designed to help with malware analysis. The framework supports multiple platforms, including Windows, macOS, and Linux, and was released in open source earlier this year.
At the end of September, security researchers discovered a vulnerability in the tool that could allow an attacker to execute arbitrary code within the context of the affected application.
Tracked as CVE-2019-16941, the security flaw has a CVSS score of 9.8 and is considered “critical severity.”
The vulnerability only triggers when experimental mode is enabled. The issue exists in the Read XML Files feature of Bit Patterns Explorer and can be exploited using modified XML documents, according to an advisory in the National Vulnerability Database (NVD).
“This occurs in Features/BytePatterns/src/ main/java/ghidra/bitpatterns/info/ FileBitPatternInfoReader.java. An attack could start with an XML document that was originally created by DumpFunctionPatternInfoScript but then directly modified by an attacker (for example, to make a java.lang.Runtime.exec call),” the advisory reads.
The NSA, on the other hand, posted on Twitter that, given the conditions necessary for exploitation are rare, the vulnerability is not a serious issue, as long as the Ghidra user does not accept XMLs from unknown sources.
The agency also revealed that a patch has been released for all those who build Ghidra themselves from the master branch. The fix will be included in the Ghidra 9.1 release, which is currently in beta testing.