A medium severity bug reported on Saturday impacts Ghidra, a free, open-source software reverse-engineering tool released by the National Security Agency earlier this year. The vulnerability allows a remote attacker to compromise exposed systems, according to a NIST National Vulnerability Database description. No fix is currently available.
Despite the warning, researchers are downplaying the impact of the bug. They maintain conditions needed to exploit the flaw, tracked as CVE-2019-16941, are rare. They also note, the NSA’s GitHub repository for Ghidra indicates a patch is currently in the works.
Nevertheless, the flaw exists within NSA Ghidra versions through 9.0.4. According to the description of the bug, the flaw manifests itself “when [Ghidra] experimental mode is enabled.” This “allows arbitrary code execution if the Read XML Files feature of Bit Patterns Explorer is used with a modified XML document,” it reads.