Login Sign Up

CVE-2023-40857

8.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

A buffer overflow vulnerability in VirusTotal YARA v4.3.2 allows remote attackers to execute arbitrary code via the yr_execute_cod function in the exe.c component. This affects any system running vulnerable YARA versions that processes untrusted YARA rules or files. Attackers can achieve remote code execution with the privileges of the YARA process.

💻 Affected Systems

Products:
  • VirusTotal YARA
Versions: 4.3.2
Operating Systems: All platforms running YARA (Linux, Windows, macOS)
Default Config Vulnerable: ⚠️ Yes
Notes: Any system using YARA to scan untrusted files or rules is vulnerable. This includes security tools, malware analysis platforms, and file scanning services.

📦 What is this software?

Yara by Virustotal

View all CVEs affecting Yara →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via remote code execution leading to data theft, ransomware deployment, or complete system takeover.

🟠

Likely Case

Remote code execution allowing attackers to install malware, exfiltrate data, or pivot to other systems.

🟢

If Mitigated

Limited impact if YARA runs with minimal privileges, in isolated environments, or only processes trusted rules.

🌐 Internet-Facing: HIGH - YARA is commonly used in security tools that process external files, making internet-facing instances vulnerable.
🏢 Internal Only: MEDIUM - Internal systems using YARA for malware analysis or file scanning remain vulnerable to malicious files.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is in a core parsing function, making exploitation straightforward. Public GitHub issues contain technical details that could facilitate exploit development.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.3.3 or later

Vendor Advisory: https://github.com/VirusTotal/yara/issues/1945

Restart Required: Yes

Instructions:

1. Check current YARA version with 'yara --version'. 2. Update to version 4.3.3 or later using your package manager or from GitHub releases. 3. Restart any services or processes using YARA.

🔧 Temporary Workarounds

Restrict YARA rule sources

all

Only allow YARA to process rules from trusted, verified sources

Run YARA with minimal privileges

linux

Execute YARA processes with limited user permissions to reduce impact

sudo -u nobody yara [options]

🧯 If You Can't Patch

  • Isolate YARA processes in containers or VMs with no network access
  • Implement strict input validation and sandboxing for all YARA rule processing

🔍 How to Verify

Check if Vulnerable:

Run 'yara --version' and check if output is '4.3.2'

Check Version:

yara --version

Verify Fix Applied:

Run 'yara --version' and confirm version is 4.3.3 or higher

📡 Detection & Monitoring

Log Indicators:

  • YARA process crashes
  • Unusual memory access patterns in YARA processes
  • Failed YARA rule compilation attempts

Network Indicators:

  • Unexpected network connections from YARA processes
  • Outbound traffic from systems running YARA to suspicious destinations

SIEM Query:

process_name:yara AND (event_type:crash OR memory_usage:anomalous)

📊 Metadata

CVE ID: CVE-2023-40857
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: August 28, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-40857, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)