Multiple vulnerabilities in NSA Ghidra
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2019-13623 CVE-2019-16941 CVE-2019-17664 |
| CWE-ID | CWE-22 CWE-776 CWE-426 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software |
Ghidra Universal components / Libraries / Software for developers |
| Vendor | National Security Agency |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
Updated: 27.10.2019
Added vulnerability #3.
1) Path traversal
EUVDB-ID: #VU21435
Risk: Medium
CVSSv4.0: 2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2019-13623
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in the RestoreTask.java plugin (package from ghidra.app.plugin.core.archive). A remote attacker can create a specially crafted file with archived results, trick the victim into loading it and overwrite arbitrary files on the system with privileges on the current user.
Install update from vendor's website.
Vulnerable software versionsGhidra: 9.0.0 - 9.0.4
CPE2.3- cpe:2.3:a:nsa.gov:ghidra:9.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:nsa.gov:ghidra:9.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:nsa.gov:ghidra:9.0.2:*:*:*:*:*:*:*
https://blog.fxiao.me/ghidra/
https://packetstormsecurity.com/files/154015/Ghidra-Linux-9.0.4-Arbitrary-Code-Execution.html
https://github.com/NationalSecurityAgency/ghidra/issues/789
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) XML Entity Expansion
EUVDB-ID: #VU21434
Risk: Medium
CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-16941
CWE-ID:
CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to improper input validation when parsing XML files in the Bit Patterns Explorer feature in Features/BytePatterns/src/main/java/ghidra/bitpatterns/info/FileBitPatternInfoReader.java. A remote attacker can create a specially crafted XML document, trick the victim into opening it via the Read XML Files feature and execute arbitrary code on the system with privilege of the current user.
MitigationInstall update from vendor's website.
Vulnerable software versionsGhidra: 9.0.0 - 9.0.4
CPE2.3- cpe:2.3:a:nsa.gov:ghidra:9.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:nsa.gov:ghidra:9.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:nsa.gov:ghidra:9.0.2:*:*:*:*:*:*:*
https://github.com/NationalSecurityAgency/ghidra/blob/79d8f164f8bb8b15cfb60c5d4faeb8e1c25d15ca/Ghidra/Features/BytePatterns/src/main/java/ghidra/bitpatterns/info/FileBitPatternInfoReader.java#L187-L188
https://github.com/NationalSecurityAgency/ghidra/issues/1090
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Untrusted search path
EUVDB-ID: #VU22307
Risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-17664
CWE-ID:
CWE-426 - Untrusted Search Path
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to Java process uses the current working directory for launching the Python interpreter via the "Ghidra Codebrowser > Window > Python" option. A local user who can place malicious files on the system and trick the victim to run Ghidrafrom the specific directory can execute the cmd.exe program from this working directory with privileges of the current user.
Install update from vendor's website.
Vulnerable software versionsGhidra: 9.0.0 - 10.1.5
CPE2.3- cpe:2.3:a:nsa.gov:ghidra:9.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:nsa.gov:ghidra:9.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:nsa.gov:ghidra:9.0.2:*:*:*:*:*:*:*
https://github.com/NationalSecurityAgency/ghidra/issues/107
https://github.com/NationalSecurityAgency/ghidra/security/advisories/GHSA-pr2h-5qhx-9544
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
