Summary : YARA is an open-source pattern matching engine widely used by malware researchers, SOC teams, and threat intelligence platforms to identify and classify malware using detection rules. It plays a critical role in malware analysis pipelines, endpoint detection systems, and threat hunting operations.

Kamil Frankowicz discovered that a number of YARA’s functions generated memory exceptions when processing specially crafted rules or files. A remote attacker could possibly use these issues to cause YARA to crash, resulting in a denial of service.

OEM	Virus Total / YARA Project (Tool)
Severity	Critical
CVSS Score	9.1
CVEs	CVE-2021-3402, CVE-2021-45429, CVE-2019-19648, CVE-2018-19974, 2018-19975, 2018-19976
POC Available	No
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview 

Ubuntu has released a security advisory addressing multiple vulnerabilities in YARA that could allow attackers to cause denial-of-service conditions, disclose sensitive information, or potentially execute arbitrary code when processing specially crafted files or rules.

These vulnerabilities affect Ubuntu 16.04 LTS, 18.04 LTS, and 20.04 LTS depending on the specific issue. Organizations using YARA in security monitoring systems, malware sandboxes, or automated threat detection workflows should apply the security updates immediately. 

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score	Fixed Version
Mach-O Parser Overflow Read Vulnerability	CVE-2021-3402	YARA	Critical	9.1	Updated Ubuntu packages
Mach-O File Parsing Out-of-Bounds Access	CVE-2019-19648	YARA	High	7.8	Updated Ubuntu packages

Technical Summary 

The most critical vulnerability CVE-2021-3402 exists in the macho.c implementation used by YARA to parse Mach-O files.

The flaw allows specially crafted Mach-O files to trigger overflow reads, which could result in denial of service or potential information disclosure. Given its high CVSS score, this issue represents the most severe risk addressed in this advisory. 

Another high-severity vulnerability CVE-2019-19648 affects the macho_parse_file() function. When parsing specially crafted Mach-O files, the function may trigger out-of-bounds memory access, potentially leading to application crashes or execution of malicious code in certain scenarios. 

Because YARA is frequently integrated into malware analysis platforms and automated threat detection pipelines, successful exploitation could disrupt security monitoring operations or compromise malware analysis environments. 

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2021-3402	YARA (Ubuntu 20.04)	Overflow read vulnerability in Mach-O parsing implementation	DoS, potential information disclosure
CVE-2019-19648	YARA (Ubuntu 20.04)	Out-of-bound memory access during Mach-O file parsing	DoS or possible code execution

Additional Vulnerabilities 

The advisory also includes several medium-severity vulnerabilities affecting YARA components. 

CVE ID	Vulnerability Details	Impact
CVE-2021-45429	Buffer overflow in yr_set_configuration() when parsing crafted rules	Denial of Service
CVE-2018-19976	YARA virtual machine sandbox escape	Possible code execution
CVE-2018-19975	VM sandbox escape vulnerability	Possible code execution
CVE-2018-19974	Virtual machine security bypass	Possible code execution

Potential Consequences 

• Disruption of malware detection pipelines 

• Denial of service in security analysis environments 

• Information disclosure through crafted files 

• Potential arbitrary code execution in analysis systems 

• Reduced visibility in SOC threat detection workflows 

Remediation 

Upgrade affected packages immediately to the patched versions provided by Ubuntu are mentioning below- 

Released patches  

Ubuntu Release	Package	Fixed Version
Ubuntu 20.04 LTS	libyara3	3.9.0-1ubuntu0.1 esm1
	yara	3.9.0-1ubuntu0.1 esm1
Ubuntu 18.04 LTS	libyara3	3.7.1-1ubuntu2+esm1
	yara	3.7.1-1ubuntu2+esm1
Ubuntu 16.04 LTS	libyara3	3.4.0+dfsg-2ubuntu0.1 esm1
	python-yara	3.4.0+dfsg-2ubuntu0.1 esm1
	python3-yara	3.4.0+dfsg-2ubuntu0.1 esm1
	yara	3.4.0+dfsg-2ubuntu0.1 esm1

If immediate patching is not possible, apply the following temporary mitigations – 

1. Restrict scanning of untrusted files in automated YARA pipelines. 

2. Limit rule ingestion from untrusted sources. 

3. Monitor malware analysis systems for abnormal crashes. 

4. Limit exposure of YARA-based detection pipelines to untrusted Mach-O or .NET file inputs. 

You can follow the recommendations below as the best practice. 

• Regularly update malware detection tools. 

• Validate YARA rules before deployment. 

• Validate and sandbox file inputs before passing them to YARA for analysis. 

• Implement least-privilege execution environments for YARA scanning processes. 

• Monitor logs for abnormal process crashes or memory-related errors in YARA. 

Conclusion: 
Multiple vulnerabilities in YARA could allow attackers to disrupt malware detection processes or compromise analysis environments. The critical vulnerability CVE-2021-3402 and high-severity vulnerability CVE-2019-19648 pose the greatest risk and should be prioritized for remediation. 

Organizations using YARA in SOC operations, malware analysis pipelines, or threat intelligence systems should apply the latest Ubuntu security updates immediately to maintain reliable threat detection capabilities. 

References:  

• USN-8080-1: YARA vulnerabilities | Ubuntu security notices | Ubuntu 

• GitHub – VirusTotal/yara: The pattern matching swiss knife · GitHub