YARA 3.5.0 libyara/grammar.y yr_compiler_destroy use after free
A vulnerability, which was classified as problematic, has been found in YARA 3.5.0. This issue affects the function
yr_compiler_destroy of the file libyara/grammar.y. The manipulation leads to use after free. The CWE definition for the vulnerability is CWE-416. The bug was discovered 01/08/2017. The weakness was published 04/03/2017 as 7f02eca670f29c00a1d2c305e96febae6ce5d37b (GitHub Repository). The advisory is shared at github.com.
The identification of this vulnerability is CVE-2017-5924. The attack may be initiated remotely. Technical details are available. There is no exploit available. The price for an exploit might be around USD $0-$5k at the moment.
It is declared as not defined. The vulnerability was handled as a non-public zero-day exploit for at least 85 days. We expect the 0-day to have been worth approximately $0-$5k. The vulnerability scanner Nessus provides a plugin with the ID 99743 (Fedora 25 : yara (2017-11ac1e31eb)), which helps to determine the existence of the flaw in a target environment. The commercial vulnerability scanner Qualys is able to test this issue with plugin 276651 (Fedora Security Update for yara (FEDORA-2017-11ac1e31eb)).
The bugfix is ready for download at github.com. It is recommended to upgrade the affected component. A possible mitigation has been published 4 weeks after the disclosure of the vulnerability.
The vulnerability is also documented other vulnerability databases: SecurityFocus (BID 98075) and Tenable (99743).
Do you know our Splunk app?
Download it now for free!