A 15-year-previous Python vulnerability has been found to have impacted hundreds of thousands of open source projects more than its lifespan.
The vulnerability, tracked as CVE-2007-4559, is a route traversal attack in the extract and extractall features found in the Python tarfile module. Scientists at Trellix warned that, if exploited, it could permit an attacker to overwrite arbitrary files in a TAR archive.
Trellix claimed that scientists initially thought they had identified a new zero-day vulnerability upon encountering the flaw. Having said that, a subsequent investigation previous yr observed it dated back to 2007.
The bug was considered to be of reduced relevance at the time. However, Trellix warned that it was observed to be present in additional than 350,000 open source projects and in an undisclosed quantity of closed-resource jobs.
“Late final yr, the Trellix Sophisticated Exploration Centre staff uncovered a vulnerability in Python’s tarfile module. As we dug in, we realised this was CVE-2007-4559 – a 15-yr-outdated route traversal vulnerability with prospective to enable an attacker to overwrite arbitrary documents,” explained Douglas McKee, director of vulnerability research at Trellix.
“CVE-2007-4559 was claimed to the Python project in 2007, and still left unchecked, experienced been unintentionally added to an believed 350,000 open source jobs and commonplace in closed source tasks.”
McKee extra that the vulnerability is “firmly embedded in the source chain of several projects” and stays common.
The Python bug is considered to have been present in frameworks created by Google, Intel, and Amazon Web Expert services (AWS), highlighting the two its longevity and prospective critical risk.
Because the discovery of the bug, Trellix claimed it has labored extensively with GitHub to issue a correct.
Nearly 62,000 susceptible open up supply initiatives have been patched to date, McKee discovered.
“To correctly minimise the vulnerability area place, Trellix Innovative Analysis Centre executed a months-long effort to patch open up resource projects identified to use the susceptible code,” he mentioned.
“Through GitHub, builders and neighborhood customers are able to thrust code to projects or repositories on the system by means of a process known as pull ask for. After a request is opened, the venture maintainers overview the suggested code, ask for collaboration or clarification if desired, and settle for the new code.”
Upon getting a list of repositories and files that contained the key phrase ‘import tarfile’, McKee reported scientists were capable to compile a record of repositories to scan applying the Creosote vulnerability resource.
“If a repository was decided to have the vulnerability, we patched the file and developed a community patch diff that contains the patched file so buyers can very easily review the two files, the initial file, and some metadata about the repository,” he extra.
Open supply vulnerabilities
Open up supply vulnerabilities have been a recurring issue for corporations globally in recent many years. Investigation from Anaconda final yr found that organisations scaled back again their use of open source software across 2021 and 2022 amidst security considerations.
Practically one-3rd (31%) of respondents to Anaconda’s study mentioned that security vulnerabilities were the number a person obstacle in the open resource neighborhood.
In May possibly 2022, security specialists uncovered vulnerabilities in two preferred open resource deals, Python CTX and PHP’s phpass.
If exploited, the vulnerabilities could have enabled attackers to start program supply chain hacks which harvested AWS cloud qualifications.
McKee warned that wonderful collaboration is demanded throughout the open supply community to eliminate critical vulnerabilities.
“As an market, we can not manage to disregard the want to find out and eradicate foundational vulnerabilities,” he claimed. “Mass patching of open source assignments can be completed, even if it takes a ton of time, and it can deliver gains to organisations of all measurements, throughout sectors and locations.”
McKee added that to “properly prevent the reintroduction of past attack surfaces”, organisations using code libraries and frameworks in their applications conduct regular checks and put into action strong evaluation measures to improve offer chain transparency.
Some pieces of this report are sourced from: