15-year-old Python bug present in 350,000 open source projects

15-year-old Python bug present in 350,000 open source projects

A 15-year-old vulnerability in open source Python Programming languages ​​are still finding their way into live code, leaving more than 350,000 projects at risk of potential supply chain cyberattacks, according to threat researchers at Trelix, a recently formed union. FireEye and McAfee.

CVE-2007-4559 A directory traversal vulnerability in the “extract” and “extractal” functions in Python’s terfile module. When exploited, this allows a user-assisted remote attacker to overwrite arbitrary files in a TAR archive via a specific sequence of filenames, ultimately executing arbitrary code or gaining control of the target device.

When it first emerged in October 2007 – a month before the first-generation iPhone hit UK stores – Red Hat was considered a low-profile vulnerability. However, according to Trelix’s threat researchers, it is still widespread in frameworks developed by Amazon Web Services, Google, Intel and multiple other applications used for machine learning, automation and Docker containerization, such as Netflix.

“When we speak Supply chain threatsWe usually refer to Cyber ​​attacks like the SolarWinds incident. However, building on top of a weak code foundation can have an equally serious impact,” said Christian Beck, Trelix’s head of adversarial and vulnerability research.

“The prevalence of this vulnerability promotes its misuse through industry tutorials and online materials. It is critical that developers are educated at all levels of the technology stack to properly prevent the re-introduction of past attack surfaces.”

Doug McKee, principal engineer and director of vulnerability research at Trelix, said the research team stumbled across CVE-2007-4559 somewhat by accident in an undisclosed environment while investigating an unrelated issue. At first, he explained, the team thought they had found a new one day zeroBut digging deeper revealed that this is not the case.

“It is important for developers to be educated at all levels of the technology stack to properly prevent the re-introduction of past attack surfaces”

Christian Bick, Trelix

“When we started pulling on the proverbial thread, we couldn’t believe what unfolded,” McKee said. “With standard public access on GitHub we were able to find more than 300,000 files containing Python’s terfile module and an average of 61% vulnerability to an attack resulting in CVE-2007-4559 in 2022.”

Trellix has contacted GitHub to try to better understand the issue. Working together, the two were able to determine that there are approximately 2.87 million open source files containing Python terfile modules spread across a huge number of sectors in 588,000 unique repositories.

“No one group, organization, or individual can be held responsible for the current state of CVE-2007-4559, but here we are,” Mackey said.

“We have to start by considering that open source projects like the Python project are often run and maintained by a group of volunteers. In this case, Python is managed and owned by the Python Software Foundation (PSF), a non-profit organization. It is often difficult for such groups to obtain resources, conduct rigorous reviews, make unilateral decisions and track and therefore resolve these types of issues in a timely manner.”

He continued: “In such cases, there is often debate about whether there is a valid use case for a module’s behavior. We have seen arguments, including In this case, just because one aspect of a function can be used for a malicious purpose does it ultimately need to be removed. Should we remove street lights because someone might push you into them? In this instance, I believe the risk outweighs the reward for accommodating a few corner cases.”

Trelix is ​​now working on pushing the code GitHub pull request A free tool will be made available to protect open source projects from CVE-2007-4559, and for developers to check if their applications are vulnerable. It can be found on Trelix’s GitHub page.

The publication of Trelix’s research on the Python tarfile vulnerability also marks its opening Center for Advanced Research For Global Threat Intelligence, hundreds of expert cyber analysts and researchers are brought together to create actionable real-time intelligence and threat indicators. It will act as the driving force behind the company’s flagship Enhanced Detection and Response (XDR) Platform

Trelix Chief Product Officer Aparna Raisam said: “The threat landscape is sophisticated and scaling in impact potential. We do this to make our digital and physical worlds safer for everyone. As adversaries invest strategically in talent and technological know-how, the industry has a responsibility to study the most combative actors and their methods to innovate at a faster rate.

Source link

Leave a Comment