NSA’s reverse engineering tool Ghidra impacted by a bug — but there’s no need to panic

There is a vulnerability in the NSA's reverse engineering tool. But it would take an incredible scenario for it impact anyone.
NSA, National Security Agency, RSA 2019, china nsa hacking tools, NSA cybersecurity directorate, ghidra vulnerability
(Scoop News Group photo)

The National Security Agency’s open source reverse engineering tool, Ghidra, is impacted by a vulnerability, but security experts — including those at the NSA familiar with Ghidra — tell CyberScoop it would be pretty difficult to be attacked via the vulnerability if you know how to reverse engineer malware.

The vulnerability, CVE-2019-16941, would allow hackers to compromise exposed systems when Ghidra’s experimental mode is running, according to the bug announcement from the National Institute of Standards and Technology. In theory, this vulnerability would allow arbitrary code to be executed against a Ghidra user if a malicious XML document — a plain text file often used to store data — is introduced. But that introduction is unlikely to happen because running these kinds of files through Ghidra would be pretty unusual, researchers told CyberScoop.

“These files are not normally shared among users and not normally part of the distribution,” the NSA researchers said.

Although the posting on Ghidra’s GitHub page suggests remote code execution is a concern as a result of this vulnerability, NSA researchers said that the bug would not allow remote access unless one Ghidra user — who is using both Ghidra’s experimental mode and the Bit Patterns Explorer, a Ghidra plugin — accepts a maliciously modified file from yet another Ghidra user who is also using that plugin.


“I don’t think anybody [that’s a] reverse engineer is going to accept a random XML file from a stranger and load it into Ghidra,” Dragos Senior Adversary Hunter Jimmy Wylie told CyberScoop.

The NSA said it became aware of the bug after it was submitted to GitHub on Saturday. The agency is working on a remedy that it will issue along with a new version of Ghidra after its beta testing period is over. This fix will come along with several other features meant to boost accuracy and save time in reverse-engineering, according to the agency.

In the meantime, the NSA says there is an easy fix in the short-term for this bug.

“You can mitigate risk by not accepting XML files from sources that you don’t trust,” a spokesperson told CyberScoop.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts