The National Security Agency’s open source reverse engineering tool, Ghidra, is impacted by a vulnerability, but security experts — including those at the NSA familiar with Ghidra — tell CyberScoop it would be pretty difficult to be attacked via the vulnerability if you know how to reverse engineer malware.
The vulnerability, CVE-2019-16941, would allow hackers to compromise exposed systems when Ghidra’s experimental mode is running, according to the bug announcement from the National Institute of Standards and Technology. In theory, this vulnerability would allow arbitrary code to be executed against a Ghidra user if a malicious XML document — a plain text file often used to store data — is introduced. But that introduction is unlikely to happen because running these kinds of files through Ghidra would be pretty unusual, researchers told CyberScoop.
“These files are not normally shared among users and not normally part of the distribution,” the NSA researchers said.
Although the posting on Ghidra’s GitHub page suggests remote code execution is a concern as a result of this vulnerability, NSA researchers said that the bug would not allow remote access unless one Ghidra user — who is using both Ghidra’s experimental mode and the Bit Patterns Explorer, a Ghidra plugin — accepts a maliciously modified file from yet another Ghidra user who is also using that plugin.
“I don’t think anybody [that’s a] reverse engineer is going to accept a random XML file from a stranger and load it into Ghidra,” Dragos Senior Adversary Hunter Jimmy Wylie told CyberScoop.
The NSA said it became aware of the bug after it was submitted to GitHub on Saturday. The agency is working on a remedy that it will issue along with a new version of Ghidra after its beta testing period is over. This fix will come along with several other features meant to boost accuracy and save time in reverse-engineering, according to the agency.
In the meantime, the NSA says there is an easy fix in the short-term for this bug.
“You can mitigate risk by not accepting XML files from sources that you don’t trust,” a spokesperson told CyberScoop.