Critical YARA Vulnerability Exposes Linux Systems – Patch Now
Summary : YARA is an open-source pattern matching engine widely used by malware researchers, SOC teams, and threat intelligence platforms to identify and classify malware using detection rules. It plays a critical role in malware analysis pipelines, endpoint detection systems, and threat hunting operations.
Kamil Frankowicz discovered that a number of YARA’s functions generated memory exceptions when processing specially crafted rules or files. A remote attacker could possibly use these issues to cause YARA to crash, resulting in a denial of service.
| OEM | Virus Total / YARA Project (Tool) |
| Severity | Critical |
| CVSS Score | 9.1 |
| CVEs | CVE-2021-3402, CVE-2021-45429, CVE-2019-19648, CVE-2018-19974, 2018-19975, 2018-19976 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
Ubuntu has released a security advisory addressing multiple vulnerabilities in YARA that could allow attackers to cause denial-of-service conditions, disclose sensitive information, or potentially execute arbitrary code when processing specially crafted files or rules.
These vulnerabilities affect Ubuntu 16.04 LTS, 18.04 LTS, and 20.04 LTS depending on the specific issue. Organizations using YARA in security monitoring systems, malware sandboxes, or automated threat detection workflows should apply the security updates immediately.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score | Fixed Version |
| Mach-O Parser Overflow Read Vulnerability | CVE-2021-3402 | YARA | Critical | 9.1 | Updated Ubuntu packages |
| Mach-O File Parsing Out-of-Bounds Access | CVE-2019-19648 | YARA | High | 7.8 | Updated Ubuntu packages |
Technical Summary
The most critical vulnerability CVE-2021-3402 exists in the macho.c implementation used by YARA to parse Mach-O files.
The flaw allows specially crafted Mach-O files to trigger overflow reads, which could result in denial of service or potential information disclosure. Given its high CVSS score, this issue represents the most severe risk addressed in this advisory.
Another high-severity vulnerability CVE-2019-19648 affects the macho_parse_file() function. When parsing specially crafted Mach-O files, the function may trigger out-of-bounds memory access, potentially leading to application crashes or execution of malicious code in certain scenarios.
Because YARA is frequently integrated into malware analysis platforms and automated threat detection pipelines, successful exploitation could disrupt security monitoring operations or compromise malware analysis environments.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2021-3402 | YARA (Ubuntu 20.04) | Overflow read vulnerability in Mach-O parsing implementation | DoS, potential information disclosure |
| CVE-2019-19648 | YARA (Ubuntu 20.04) | Out-of-bound memory access during Mach-O file parsing | DoS or possible code execution |
Additional Vulnerabilities
The advisory also includes several medium-severity vulnerabilities affecting YARA components.
| CVE ID | Vulnerability Details | Impact |
| CVE-2021-45429 | Buffer overflow in yr_set_configuration() when parsing crafted rules | Denial of Service |
| CVE-2018-19976 | YARA virtual machine sandbox escape | Possible code execution |
| CVE-2018-19975 | VM sandbox escape vulnerability | Possible code execution |
| CVE-2018-19974 | Virtual machine security bypass | Possible code execution |
Potential Consequences
- Disruption of malware detection pipelines
- Denial of service in security analysis environments
- Information disclosure through crafted files
- Potential arbitrary code execution in analysis systems
- Reduced visibility in SOC threat detection workflows
Remediation
Upgrade affected packages immediately to the patched versions provided by Ubuntu are mentioning below-
Released patches
| Ubuntu Release | Package | Fixed Version |
| Ubuntu 20.04 LTS | libyara3 | 3.9.0-1ubuntu0.1 esm1 |
| yara | 3.9.0-1ubuntu0.1 esm1 | |
| Ubuntu 18.04 LTS | libyara3 | 3.7.1-1ubuntu2+esm1 |
| yara | 3.7.1-1ubuntu2+esm1 | |
| Ubuntu 16.04 LTS | libyara3 | 3.4.0+dfsg-2ubuntu0.1 esm1 |
| python-yara | 3.4.0+dfsg-2ubuntu0.1 esm1 | |
| python3-yara | 3.4.0+dfsg-2ubuntu0.1 esm1 | |
| yara | 3.4.0+dfsg-2ubuntu0.1 esm1 |
If immediate patching is not possible, apply the following temporary mitigations –
- Restrict scanning of untrusted files in automated YARA pipelines.
- Limit rule ingestion from untrusted sources.
- Monitor malware analysis systems for abnormal crashes.
- Limit exposure of YARA-based detection pipelines to untrusted Mach-O or .NET file inputs.
You can follow the recommendations below as the best practice.
- Regularly update malware detection tools.
- Validate YARA rules before deployment.
- Validate and sandbox file inputs before passing them to YARA for analysis.
- Implement least-privilege execution environments for YARA scanning processes.
- Monitor logs for abnormal process crashes or memory-related errors in YARA.
Conclusion:
Multiple vulnerabilities in YARA could allow attackers to disrupt malware detection processes or compromise analysis environments. The critical vulnerability CVE-2021-3402 and high-severity vulnerability CVE-2019-19648 pose the greatest risk and should be prioritized for remediation.
Organizations using YARA in SOC operations, malware analysis pipelines, or threat intelligence systems should apply the latest Ubuntu security updates immediately to maintain reliable threat detection capabilities.
References:
Recent Comments