Vulnerabilities in YARA allow to compromise network instead of protecting it

Penetration testing services specialists reported the finding of two critical vulnerabilities in YARA, a tool primarily used in malware research and detection. According to the report, successful exploitation of these flaws would allow scenarios such as remote code execution.

Below is a brief description of the reported flaws, in addition to their respective scores according to the Common Vulnerability Scoring System (CVSS); it is worth mentioning that the flaws do not yet have a CVSS key assigned.

The first of the reported vulnerabilities exists due to a use-after-free error in the YARA PE module, which would allow threat actors to remotely attack the target system.

Successful exploitation of this vulnerability would lead to the total commitment of the affected system, as penetration testing services specialists mentioned.

This flaw resides in YARA versions 4.0.0 and 4.0.1, and received a score of 8.5/10, making it a critical vulnerability. Although the flaw can be exploited by unauthenticated remote threat actors, no active exploit cases or malware variants associated with this attack have been detected.

Moreover, the second of the reported failures exists due to an integer overflow that leads to arbitrary code execution on the target system and file exposure up to 2 GB. Successful exploitation of this vulnerability can result in a total commitment of the vulnerable system.

This vulnerability also received a score of 8.5/10, so penetration security testing services specialists consider this to be a critical error. The flaw resides in YARA versions 4.0.0 and 4.0.1, and although it could also be exploited remotely by unauthenticated hackers, no cases of exploitation have been reported in real-world scenarios. Researchers have also not detected any malware variants associated with this attack.

YARA developers recognized the flaws and began working on their correction immediately after receiving the report. Updates are ready, so users of affected deployments should only verify their correct installation. For now, the existence of a workaround is unknown, so users are strongly advised to verify the correct installation of the patches.

For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.