CVE-2021-3402
📋 TL;DR
CVE-2021-3402 is an integer overflow and buffer overflow vulnerability in YARA's Mach-O file parser that allows attackers to cause denial of service or information disclosure by processing malicious Mach-O files. This affects all systems running YARA versions before 4.0.4. Security tools and systems using YARA for file analysis are particularly vulnerable.
💻 Affected Systems
- YARA
- Security tools using YARA library
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Yara by Virustotal
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise if combined with other vulnerabilities, though CWE-190 typically results in crashes or information leaks.
Likely Case
Denial of service through application crashes or information disclosure via memory leaks when processing malicious Mach-O files.
If Mitigated
Limited impact with proper input validation and sandboxing, though crashes may still occur.
🎯 Exploit Status
Exploitation requires providing a malicious Mach-O file to YARA for processing. Public proof-of-concept exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: libyara 4.0.4 and later
Vendor Advisory: https://www.x41-dsec.de/lab/advisories/x41-2021-001-yara/
Restart Required: Yes
Instructions:
1. Update YARA to version 4.0.4 or later. 2. For Linux systems: Use package manager (apt-get update && apt-get upgrade yara, yum update yara, etc.). 3. For source installations: Download and compile from https://github.com/VirusTotal/yara/releases. 4. Restart any services using YARA.
🔧 Temporary Workarounds
Disable Mach-O module
allDisable YARA's Mach-O module to prevent processing of Mach-O files
yara --disable-module=macho
Sandbox YARA processing
linuxRun YARA in a container or sandbox with limited privileges
docker run --read-only --cap-drop=ALL -v /scans:/scans:ro yara:latest
🧯 If You Can't Patch
- Implement strict input validation to reject suspicious Mach-O files before YARA processing
- Isolate YARA processing to dedicated systems with no sensitive data access
🔍 How to Verify
Check if Vulnerable:
Check YARA version: yara --version. If output shows version earlier than 4.0.4, system is vulnerable.Check Version:
yara --versionVerify Fix Applied:
Run yara --version and confirm version is 4.0.4 or later. Test with known safe Mach-O files to ensure functionality.📡 Detection & Monitoring
Log Indicators:
- YARA process crashes or segmentation faults
- Unusual memory consumption patterns in YARA processes
- Repeated failed Mach-O file parsing attempts
Network Indicators:
- Unusual Mach-O file downloads to systems running YARA
- Network traffic to/from YARA processing systems with Mach-O files
SIEM Query:
process_name:"yara" AND (event_type:"crash" OR memory_usage:>threshold)🔗 References
- https://bugzilla.redhat.com/show_bug.cgi?id=1930175
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKNXSH5ERG6NELTXCYVJLUPJJJ2TNEBD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXM224OLGI6KAOROLDPPGGCZ2OQVQ6HH/
- https://www.openwall.com/lists/oss-security/2021/01/29/2
- https://www.x41-dsec.de/lab/advisories/x41-2021-001-yara/
- https://bugzilla.redhat.com/show_bug.cgi?id=1930175
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKNXSH5ERG6NELTXCYVJLUPJJJ2TNEBD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXM224OLGI6KAOROLDPPGGCZ2OQVQ6HH/
- https://www.openwall.com/lists/oss-security/2021/01/29/2
- https://www.x41-dsec.de/lab/advisories/x41-2021-001-yara/
