New Bug Found in NSA’s Ghidra Tool

Ghidra NSA tool

Flaw in National Security Agency’s Ghidra reverse-engineering tools allows hackers to execute code in vulnerable systems.

A medium severity bug reported on Saturday impacts Ghidra, a free, open-source software reverse-engineering tool released by the National Security Agency earlier this year. The vulnerability allows a remote attacker to compromise exposed systems, according to a NIST National Vulnerability Database description. No fix is currently available.

Despite the warning, researchers are downplaying the impact of the bug. They maintain conditions needed to exploit the flaw, tracked as CVE-2019-16941, are rare. They also note, the NSA’s GitHub repository for Ghidra indicates a patch is currently in the works.

Nevertheless, the flaw exists within NSA Ghidra versions through 9.0.4. According to the description of the bug, the flaw manifests itself “when [Ghidra] experimental mode is enabled.” This “allows arbitrary code execution if the Read XML Files feature of Bit Patterns Explorer is used with a modified XML document,” it reads.

Stated more simply, the exploitation of the bug would require a user to load a maliciously created XML file through the plugin and outside of normal project loading process.

Researchers add, since the feature is experimental to begin with, it’s already an area to expect bugs and vulnerabilities. They also contend, that despite descriptions of how the bug can be exploited, it can’t be triggered remotely.

Ghidra is a disassembler written in Java; software that breaks down executable files into assembly code that can then be analyzed. By deconstructing malicious code and malware, cybersecurity professionals can gain a better understanding of potential vulnerabilities in their networks and systems. The NSA has used it internally for years, and recently decided to open-source it.

This isn’t the first time researchers have found Ghidra bugs. In March, a proof-of-concept was released showing how a XML external entity (XXE) vulnerability (rated serious) can be exploited to attack Ghidra project users (version 9.0 and below). In July, researchers found an additional path-retrieval bug (CVE-2019-13623) that was rated high severity. The bug, similar to CVE-2019-1694, also impacts the ghidra.app.plugin.core.archive and allows an attacker to achieve arbitrary code execution on vulnerable systems.

Researchers said they are unaware that this most recent bug (CVE-2019-16941) has been exploited in the wild.

What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.

Suggested articles