A vulnerability discovered over 15 years ago still plagues hundreds of thousands of open source projects today, according to Trellix, raising supply chain security concerns. Assigned CVE-2007-4559, the bug was discovered in 2007 and still exists in the tarfile module of Python.
The Trellix Advanced Research Center came across the path traversal attack vulnerability during an investigation into a separate vulnerability. CVE-2007-4559 impacts some 350,000 open-source projects and an unknown number of closed-source projects, escalating fears of software supply chain attacks. According to NCC Group, attacks against organizations in the global supply chain increased by 51% between July and December 2021.
Christiaan Beek, head of adversarial & vulnerability research at Trellix, said, When we talk about supply chain threats, we typically refer to cyber-attacks like the SolarWinds incident, however building on top of weak code-foundations can have an equally severe impact.
Besides machine learning, automation applications, and docker containerization, the vulnerable tarfile module of Python is leveraged by AWS, Google, Intel, Facebook, and Netflix for specific frameworks. The tarfile module is the default setting in any project that leverages Python unless manually changed.
This vulnerabilitys pervasiveness is furthered by industry tutorials and online materials propagating its incorrect usage. Its critical for developers to be educated on all layers of the technology stack to properly prevent the reintroduction of past attack surfaces.
CVE-2007-4559 enables arbitrary code execution. Although its CVSS score of 5.1 suggests CVE-2007-4559 is a medium severity vulnerability, Trellix said its exploit is relatively easy and can be exploited with as little as six lines of code.
The tarfile module in Python enables developers to read and write tar archives, which is a UNIX-based utility used to package uncompressed or compressed (using gzip, bzip2, etc.) files together for backup or distribution.
The 2007 path traversal vulnerability exists because of a few un-sanitized lines of code in tarfile. The tarfile.extract() and tarfile.extractall() functions are coded without any safety mechanisms that sanitize or review the path supplied to it for file extraction from tar archives.
So when a user passes a TarInfo object while calling these extract functions, it causes directory traversal. In other words, it extracts files from a source specified to it without performing the appropriate safety check.
Trellix Threat Labs vulnerability researcher, Kasimir Schulz, said, This vulnerability is incredibly easy to exploit, requiring little to no knowledge about complicated security topics. Due to this fact and the prevalence of the vulnerability in the wild, Pythons tarfile module has become a massive supply chain issue threatening infrastructure around the world.
See More: Why Software Bill of Materials (SBOM) Is Critical To Mitigating Software Supply Chain Risks
Not only has this vulnerability been known for over a decade, the official Python docs explicitly warn to Never extract archives from untrusted sources without prior inspection due to the directory traversal issue, noted Charles Mcfarland, vulnerability researcher in Trellixs Advanced Threat Research team.
Tarfile Extract Warning to Python Developers | Source: Trellix
The number of unique projects/repositories on GitHub that include import tarfile in its python code is 588,840. However, 61% of these repositories did not perform cleanup of the tarfile members before being executed, taking the number of vulnerable repositories to 350,000.
Trellix also pointed out that since machine learning tools like GitHub CoPilot are trained on vulnerable GitHub repositories, they are learning to do things insecurely. Not from any fault of the tool but from the fact that it learned from everyone else.
Trellixs analysis of project domains impacted by CVE-2007-4559 revealed the following:
Project Domains Impacted by CVE-2007-4559 | Source: Trellix
It should be noted that Trellixs research on vulnerable projects is limited to GitHub. So it is likely that other projects are also affected by the 15-year-old vulnerability.
The software supply chain can have hundreds of vendors that supply applications, independent code, software, libraries, and other dependencies. When vulnerable dependencies such as the tarfile module are integrated with third-party providers, service providers, contractors, resellers, etc., it expands the attack surface of everyone in the chain while simultaneously weakening the security fabric of even those with appropriate security hygiene practices.
While we cant provide as detailed an analysis [of closed-source projects] as we can with open-source projects, it is fair to expect the trend to be similar. What if 61% of all projects open- and closed-source could be exploited due to this vulnerability? asks Douglas McKee, principal engineer and director of vulnerability research for Trellix Threat Labs.
To do our part Trellix is releasing a script which can be used to scan one or multiple code repositories looking for the presence and likelihood of exploitation for CVE-2007-4559. Additionally, we are working on automating submissions of pull requests to open-source projects which can be confirmed to be exploitable, McKee added.
Trellix has automated mass repository forking, mass repository cloning, code analysis, code patching, code commits, and pull requests. Patches by the company for 11,005 repositories are ready for pull requests. Trellix is developing patches for more projects.
The number of vulnerable repositories we found begs the question, which other N-day vulnerabilities are lurking around in OSS, undetected or ignored for years? McFarland added. If this tarfile vulnerability is any indicator, we are woefully behind and need to increase our efforts to ensure OSS [open source software] is secure.
To check if your project/repository is vulnerable to CVE-2007-4559, refer to this GitHub documentation by Trellix.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
The rest is here:
15-Year-Old Python Vulnerability Still Affects Over 350,000 Open-Source Projects - Spiceworks News and Insights
- Labour frontbencher advocates for open source software and regulatory innovation - Computing - February 9th, 2024
- Open Source Software: Meaning, Importance, and Examples | Spiceworks - Spiceworks News and Insights - February 9th, 2024
- Office of National Cyber Director Issues 2023 Year-End Report on Open Source Software Security Initiative - Executive Gov - February 1st, 2024
- 40 Must-Have Free Open Source Software for 2023 - Tecmint - October 16th, 2023
- What Is Open Source Software and How Does It Work? | Synopsys - March 5th, 2023
- 15 Best Open Source Software You Must Try in 2023 - Turing - February 25th, 2023
- Cyber Security Today, Feb. 24, 2023 Holes in open source software, ransomware gang tries to evade cyber insurers and more - IT World Canada - February 25th, 2023
- What is Open Source Software? - SourceForge Articles - February 15th, 2023
- About the Open Source Initiative | Open Source Initiative - December 28th, 2022
- Comparison of free and open-source software licenses - December 20th, 2022
- Building an open source software community - SAS Users - December 4th, 2022
- The US Securing Open Source Software Act of 2022 is a step in the right direction - TechCrunch - November 25th, 2022
- Microsoft: Hackers are using open source software and fake jobs in ... - November 17th, 2022
- Open Source Software Directory - OSSD - October 23rd, 2022
- Source Code for Open Source Software Components - Oracle - October 15th, 2022
- We dont teach developers how to write secure software Linux Foundations David A Wheeler on reversing the CVE surge - The Daily Swig - October 15th, 2022
- Learn Linux online for free with Linux Foundation Courses from edX - TechRepublic - October 15th, 2022
- The Blockchain Sector is growing with the help of Open-Source Technology - Wales 247 - October 15th, 2022
- GCHQ chief warns of Chinese . US open source software bill advances. Financial Stability Board on crypto regulation. - The CyberWire - October 15th, 2022
- When transparency is also obscurity: The conundrum that is open-source security - Help Net Security - October 7th, 2022
- You thought you bought software all you bought was a lie - The Register - October 7th, 2022
- Linux Foundation Energy Gains More Industry Support to Drive the Energy Transition - PR Newswire - October 7th, 2022
- State of Open Source Survey By OpenLogic To Take Place In 2023 - Open Source For You - September 29th, 2022
- How Can Open Source Sustain Itself without Creating Burnout? - thenewstack.io - September 29th, 2022
- OpenAI opens doors to DALL-E after the horse has bolted to Midjourney and others - The Register - September 29th, 2022
- Red Hat And NdcTech Collaborate To Deliver Solutions Based On Open Source - Open Source For You - September 21st, 2022
- Paladin Cloud Joins the Cloud Native Computing Foundation - GlobeNewswire - September 21st, 2022
- Open Source Software - W3 - September 13th, 2022
- Understanding the hows and whys of open source audits - Security Boulevard - September 13th, 2022
- New Metaverse Track at O3DCon to Tackle Big Questions and Practical Applications of Emerging Graphical Technology - PR Web - September 13th, 2022
- TechOps is a mess: Open source is the solution - BetaNews - September 13th, 2022
- Rezilion Recognized as SBOM Tool Provider in Gartner Emerging Technologies Trend Report on Software Bills of Materials (SBOM) USA - English - USA -... - September 13th, 2022
- Open Security: The next step in the evolution of cybersecurity - SC Media - September 13th, 2022
- 11 Interesting Firefox Add-ons to Improve Your Browsing Experience - It's FOSS - September 13th, 2022
- why the giants fight over open source - Gearrice - September 5th, 2022
- Compare Files in Linux With These Tools - It's FOSS - September 5th, 2022
- Microsoft and ByteDance are collaborating on a big AI project, even as US-China rivalry heats up - CNBC - August 28th, 2022
- OpenSSF Announces 13 New Members Committed to Strengthening the Security of the Open Source Software Supply Chain - DARKReading - August 20th, 2022
- How W4 plans to monetize the Godot game engine using Red Hats open source playbook - TechCrunch - August 20th, 2022
- Secure Open Source Rewards' to help in preventing assaults on the software supply chain. Check out how! - Economic Times - August 20th, 2022
- Free Dev Tools! But Whats the Catch? - DevOps.com - August 20th, 2022
- This Company is Aiming to Do to the Guest what VMWare and AWS Did to the Host - GeekWire - August 20th, 2022
- What Is Open-Source Software? (Definition and Examples) - August 12th, 2022
- What is open source software? | IBM - August 12th, 2022
- 55+ Best Open Source PC Software for almost Everything - August 12th, 2022
- 80 percent of enterprises use open source software and nearly all worry about security - BetaNews - August 12th, 2022
- The US Military Should Red-Team Open Source Code - Defense One - August 12th, 2022
- Boeing joins the ELISA Project as a Premier Member to Strengthen its Commitment to Safety-Critical Applications - PR Newswire - August 12th, 2022
- Looking for simplicity in the cloud? The future is going to be open and hybrid - The Register - August 12th, 2022
- AAIS & The Linux Foundation Welcome Jefferson Braswell as openIDL Project Executive Director - The Bakersfield Californian - August 4th, 2022
- Wicked Good Development Episode 13: Hacks and Ax, July Edition - Security Boulevard - August 4th, 2022
- Microsoft changes its policy against the sale of open source software in the Microsoft Store - BetaNews - July 26th, 2022
- BMW Group Joins the Linux Foundation's Yocto Project - PR Newswire - July 18th, 2022
- Free and Open Source Software (FOSS) - UNESCO - July 9th, 2022
- Know Your Enemy and Yourself: A Deep Dive on CISA KEV - Security Boulevard - June 29th, 2022
- CD Foundation Announces State of CD in 2022 Report, Opens Third Annual cdCon with New Project CDEvents, New... - DevOps.com - June 10th, 2022
- Samsung teams up with Red Hat for memory software development - The Korea Herald - May 25th, 2022
- OpenSSF Helping to Secure Open Source Software - ITPro Today - May 25th, 2022
- Only Microsoft can give open-source the gift of NTFS. Only Microsoft needs to - The Register - May 11th, 2022
- Protestware: what organisations should be aware of when using open source software - Lexology - May 11th, 2022
- This Week in Washington IP: Open Source Cybersecurity Solutions, Civil Capabilities for Space Situational Awareness and Using AI for Effective RegTech... - May 11th, 2022
- Red Hat Expands Capabilities to Provide Streamlined Application Development and Delivery in the Cloud - Business Wire - April 28th, 2022
- Industry 4.0 why smart manufacturing is moving closer to the edge - The Register - April 28th, 2022
- Open source software and DevOps: What are they, and how can your business benefit? - SmartCompany - April 13th, 2022
- Truist Joins the Open Invention Network - GlobeNewswire - April 13th, 2022
- OpenMetal Joins the Open Infrastructure Foundation - PR Newswire - April 13th, 2022
- An Early Test of The Adams Administration's Values and Tech Prowess - Gotham Gazette - April 13th, 2022
- Open Source Software Faces Threats of Protestware and Sabotage - WIRED - April 1st, 2022
- The Promise of Open Source Code and the Paradox of ProtestWare - Security Boulevard - April 1st, 2022
- Software Composition Analysis Market to Witness Massive Growth by 2029 | Open Source Software, Oracle, Smartbear Software - Digital Journal - April 1st, 2022
- Why now is the time to host your code in the cloud - TechRadar - April 1st, 2022
- Those looking for clues to Googles search demise are asking the wrong question - TechRepublic - April 1st, 2022
- Open Source Sabotage Incident Hits Software Supply Chain | eSecurityPlanet - eSecurity Planet - January 15th, 2022
- Open-source software and threats to critical infrastructure. - The CyberWire - January 15th, 2022
- Google wants secure open-source software to be the future - TechRadar - January 15th, 2022
- Baumer, Infineon, Qualcomm Innovation Center, Percepio and Silicon Labs Select Zephyr RTOS for their Next Generation of Products and Solutions - Yahoo... - January 15th, 2022
- How Open Source Is Shaping The World Around Us - Outlook India - December 19th, 2021
- The Projects and People That Shaped Security in 2021 The New Stack - thenewstack.io - December 19th, 2021
- Log4j: Where's Fancy Bear been? Right there, choppin' lumber... - The CyberWire - December 19th, 2021
- Aqua Security acquires Argon to protect the software supply chain - VentureBeat - December 6th, 2021