CVE-2021-43814
📋 TL;DR
CVE-2021-43814 is a heap-based out-of-bounds write vulnerability in Rizin's parse_die() function when processing AMD64 ELF binaries with DWARF debug information. This allows attackers to cause crashes or potentially execute arbitrary code by tricking users into opening malicious ELF files. All users running Rizin versions up to 0.3.1 on UNIX-like systems are affected.
💻 Affected Systems
- Rizin
📦 What is this software?
Rizin by Rizin
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with the privileges of the user running Rizin, potentially leading to full system compromise.
Likely Case
Application crash (denial of service) when processing malicious ELF files.
If Mitigated
No impact if users avoid opening untrusted ELF files with vulnerable versions.
🎯 Exploit Status
Exploitation requires user interaction (opening a malicious file) and specific conditions (AMD64 ELF with DWARF). No public exploit code has been disclosed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 0.4.0 and later
Vendor Advisory: https://github.com/rizinorg/rizin/security/advisories/GHSA-hqqp-vjcm-mw8r
Restart Required: No
Instructions:
1. Check current Rizin version with 'rizin -v'. 2. If version is 0.3.1 or earlier, upgrade to 0.4.0+. 3. For package managers: 'sudo apt update && sudo apt upgrade rizin' (Debian/Ubuntu) or 'brew upgrade rizin' (macOS). 4. For source: clone latest from GitHub and rebuild.
🔧 Temporary Workarounds
Avoid untrusted ELF files
allDo not open untrusted or unknown AMD64 ELF binaries with DWARF debug information in Rizin.
🧯 If You Can't Patch
- Restrict Rizin usage to trusted users only
- Implement file integrity monitoring for Rizin binary and configuration files
🔍 How to Verify
Check if Vulnerable:
Run 'rizin -v' and check if version is 0.3.1 or earlier.Check Version:
rizin -vVerify Fix Applied:
After upgrade, run 'rizin -v' to confirm version is 0.4.0 or later.📡 Detection & Monitoring
Log Indicators:
- Rizin crash logs with segmentation faults when processing ELF files
- Unexpected process termination of rizin
Network Indicators:
- Not applicable - local file processing vulnerability
SIEM Query:
Process:Name='rizin' AND EventID=1000 (Application Crash)🔗 References
- https://github.com/rizinorg/rizin/commit/aa6917772d2f32e5a7daab25a46c72df0b5ea406
- https://github.com/rizinorg/rizin/issues/2083
- https://github.com/rizinorg/rizin/security/advisories/GHSA-hqqp-vjcm-mw8r
- https://github.com/rizinorg/rizin/commit/aa6917772d2f32e5a7daab25a46c72df0b5ea406
- https://github.com/rizinorg/rizin/issues/2083
- https://github.com/rizinorg/rizin/security/advisories/GHSA-hqqp-vjcm-mw8r
