CVE-2017-11124 – CVE-2017-11124 is a NULL pointer dereference vu... (How to Fix)

Q: What is the severity of CVE-2017-11124?

CVE-2017-11124 has a CVSS score of 9.8 (CRITICAL). CVE-2017-11124 is a NULL pointer dereference vulnerability in xar 1.6.1's libxar.so library that can lead to denial of service or potential remote code execution. The vulnerability occurs in the xar_unserialize function when processing malicious XAR archives. Systems using xar 1.6.1 or earlier versions are affected.

📋 TL;DR

CVE-2017-11124 is a NULL pointer dereference vulnerability in xar 1.6.1's libxar.so library that can lead to denial of service or potential remote code execution. The vulnerability occurs in the xar_unserialize function when processing malicious XAR archives. Systems using xar 1.6.1 or earlier versions are affected.

💻 Affected Systems

Products:

xar

Versions: 1.6.1 and earlier

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Any system using xar to process archives is vulnerable. The vulnerability is in the core library and affects all configurations.

📦 What is this software?

Xar by Xar Project

View all CVEs affecting Xar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if the NULL pointer dereference can be leveraged for arbitrary code execution.

🟠

Likely Case

Denial of service causing application crashes when processing malicious XAR archives.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing of xar processing.

🌐 Internet-Facing: MEDIUM - Requires processing of malicious XAR archives, which could be delivered via web applications or file uploads.

🏢 Internal Only: LOW - Requires user interaction or specific workflows involving XAR archive processing.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof-of-concept exploit code is publicly available. Exploitation requires the target to process a malicious XAR archive.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6.2 or later

Vendor Advisory: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2S2KRIILUKBJHXDNYJQQX74TFUQRG5ND/

Restart Required: Yes

Instructions:

1. Update xar package to version 1.6.2 or later. 2. For Linux distributions: Use package manager (apt-get update && apt-get upgrade xar for Debian/Ubuntu, yum update xar for RHEL/CentOS). 3. Restart any services using xar library.

🔧 Temporary Workarounds

Disable xar processing

linux

Temporarily disable or block processing of XAR archives until patching is complete.

# Remove xar binary: sudo rm -f /usr/bin/xar
# Block xar execution: sudo chmod 000 /usr/bin/xar

🧯 If You Can't Patch

Implement strict input validation for XAR archives before processing.
Run xar processing in isolated containers or sandboxes with limited privileges.

🔍 How to Verify

Check if Vulnerable:

Check xar version: xar --version | grep -q '1.6.1' && echo 'VULNERABLE' || echo 'NOT VULNERABLE'

Check Version:

xar --version

Verify Fix Applied:

Verify xar version is 1.6.2 or later: xar --version

📡 Detection & Monitoring

Log Indicators:

Segmentation fault or crash logs from xar processes
Unexpected termination of applications using libxar.so

Network Indicators:

Inbound XAR archive transfers to vulnerable systems
File uploads containing XAR archives to web applications

SIEM Query:

process.name:xar AND (event.action:segfault OR event.action:crash)

📊 Metadata

CVE ID: CVE-2017-11124

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-476

Published: July 10, 2017

Last Updated: April 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-11124, you might also want to check these: