Black Hat

SOOS @ Black Hat USA 2022
August 9-11 | Booth #IC58

Top 10 Open Source Software Security Breaches

The programming world needs to cope with the continual rise of data breaches and coding vulnerabilities every year. Despite the sustained effort to perfect coding languages and programs, programmers will always fall on either side of the spectrum of good or bad, meaning that black-hat coders are constantly searching for weaknesses in software and systems. While open source security software can help catch vulnerabilities, the effectiveness of the secure programming software is only as good as when it is implemented into the software development life cycle.

Even with the most up-to-date tools, programmers, businesses, and individuals need to acknowledge the necessity of early detection. With the rise in vulnerabilities, software developers must continually update their knowledge of the current and most prevalent threats and the tools used to detect them. Businesses and coding specialists should understand the continued threats to popular coding tools and languages, including the top 10 vulnerabilities prone to OSS.

How To Find Open Source Software Security Vulnerabilities

OSS and cloud security breaches are on the rise. The nature of OSS leaves it open to vulnerabilities and attacks. While most developers creating open-source materials do not set out to develop vulnerable programs, sometimes, an individual’s skill level does not allow for sophisticated programming knowledge. Additionally, the nature of open-source programs allows for community editing, including dubious actors.

Regardless of how vulnerabilities arise in OSS, there is no denying the necessity of such software in the rapid-development environment that currently exists. Businesses and developers must learn to cope with further restricting deadlines to maintain a presence in the existing marketplace. Therefore, professionals must incorporate vulnerability scanners and tools, such as the National Vulnerability Database, to weed out various types of security breaches early in the SDLC to contain and mitigate future problems or threats.

When discussing the existing threats to project developments and identifying current OSS vulnerabilities, there are thousands, which is why analytic tools are crucial to any project. Among the several thousand vulnerabilities that exist, these 10 remain at the top of past open-source security breaches to beware of.

1. Lodash

Lodash is a popular JavaScript library that makes coding easier. It helps programmers working with objects, numbers, strings, arrays, etc., by providing modular methods for several different processes and functions, including:

  • Manipulating and testing values
  • Iterating objects, arrays, and strings
  • Creating composite functions

Because of the versatility of the open-source library and its modular formats, it is used by countless programmers daily.Unfortunately, some earlier versions before 4.17.2 contained a prototype pollution security issue when using _.zipObjectDeep. The threat could allow an attacker to use the Object.prototype to reveal sensitive information, alter or manipulate data, or incorporate a Denial of the Service function.

More recent versions of Lodash seem to have resolved the issue, but programmers using older versions need to be aware of the potential threat. Legitimate vulnerability scanners should highlight potential property pollution issues early in the SDLC, as they are a high-security concern.

2. FasterXML jackson-databind

FasterXML jackson-databind is a tool for fundamental data binding or mapping functionality, allowing the reading of JSON content into JSON Trees and Java Objects and the writing of Java Objects and trees as JSON. Unfortunately, 2.x versions before 2.9.10.6 contained a vulnerability related to Anteros-DBCP, essentially resulting in the mishandling of typing and serialization gadgets and their interactions.

Serialization — the process of converting objects into byte streams to store or transmit them into a file, database, or memory — is a well-established process among Java developers. Unfortunately, many programmers noticed an uptick in serialization issues, errors, and vulnerabilities.

When it comes to the Faster-XML jackson-databind issue, developers noticed that earlier versions could suffer from serialization side effects, most notably, the creation of malicious operations. These adverse effects could leave code and programs vulnerable to remote code execution or DoS attacks, potentially exposing sensitive data.

3. HtmlUnit

As a GUI-less browser for Java programs, HtmlUnit allows programmers to use an API to fill out forms, invoke pages, click links, etc. The tool models HTML documents and essentially acts as a “normal” browser, which can be advantageous.

Unfortunately, vulnerable versions of HtmlUnit — those existing before 2.37.0 — contained code execution issues. For instance, when initializing the Rhino engine, the program could provide opportunities for malicious JavaScript code to execute arbitrary Java code. The security issue often occurs on Android-based applications because Android-specific Rhino engine initialization is not correct in earlier versions.

While the exploit can result in significant problems, HtmlUnit is primarily used when testing programs or projects. Later versions of the OSS have corrected the vulnerability. Interested programmers can currently find the fixed or updated version on GitHub.

4. Handlebars

As a Mustache templating language extension, Handlebars is logicless, allowing programmers to keep the code and the view separate for a more effortless experience. The OSS is a popular open-source project, boasting millions of weekly downloads. One aspect of the OSS that makes it so popular and in-demand is the community supporting and maintaining it.

Unfortunately, earlier versions of Handlebars — 4.x before 4.5.3 and before 3.0.8 — contain an arbitrary code execution security threat. According to experts, the lookup helper in these earlier iterations did not correctly validate templates. The poor vetting allows malicious actors to run arbitrary code through submitted templates. Using the code, Handlebars effectively allows cross-site scripting — this is an injection attack that allows actors to access sensitive data, cookies, and session tokens under the guise of a trusted source — on a server or victim’s browser. XSS attacks can also allow the rewriting of HTML content.

5. HTTP-proxy

HTTP-proxy is a content filter that examines traffic to identify suspicious or malicious content, typically malformed content or spyware. Programmers can configure the filter so only content meeting RFC specifications gets through.

As a programmable proxying library, HTTP-proxy helps implement load balancers, reverse proxies, and other components; it also supports WebSockets. With millions of weekly downloads and thousands of dependents, the OSS represents one of the top libraries. Unfortunately, versions previous to the 1.18.1 update are vulnerable to DoS attacks. Long-bodied requests trigger an ERR_HTTP_HEADERS_SENT unhandled exception, crashing the proxy server. This typically only occurs when the request is sent using the function proxyReq.setHeader.

The vulnerability was first listed with the prefix WS rather than the more standard CVE as the Common Vulnerabilities and Exposures list did not have it listed initially, nor did the NVD. The absence of the vulnerability represents the need to use multiple data sets when searching for code vulnerabilities. A reliable vulnerability scanner should use various databases to ensure the most updated and thorough scans.

6. Decompress

Making the extraction of archives straightforward, decompress is a relatively small OS project created to make coding more accessible and more efficient. While popular, earlier versions of the project — those prior to 4.2.1 — permitted a critical Arbitrary File Write vulnerability. The vulnerability exposed systems, allowing malicious players to use ../ in filenames to write or overwrite any folder in the system. Original versions of decompressing did not prevent file extraction through relative paths, which opened the door to the exploit.

The amount of damage caused by this one vulnerability carried out through a simplistic and valuable tool is a reminder of the importance of vulnerabilities management, especially when using and benefitting from OSS. Thankfully, later versions of decompressing corrected the issue, and users can once again incorporate it into their projects. The critical thing in web and software development is never to get too comfortable with any tool.

7. XStream

As an open-source library, XStream performs XML to Java serialization and vice versa. The typical uses for the OSS include configuration, persistence, transport, and unit tests. The library is among the most popular and is present in many open-source Java-based web applications.

Unfortunately, earlier versions of the library contained vulnerabilities, including a remote code execution issue. Essentially, at the unmarshalling time, a processed stream may contain type information vulnerable to manipulation, allowing attackers the ability to replace or inject objects capable of executing arbitrary shell commands.

The vulnerability only affects the default blacklist of the security framework, not the whitelist. Any programmers using the default should ensure they use updated versions, 1.4.14 or newer. Using the most current versions of OSS can often mitigate significant problems. However, operating with caution, committing to the use of vulnerability scanners, and incorporating security checks throughout the SDLC is the only way to mitigate most potential threats.

8. Netty

When working on large projects requiring a fast-paced development environment, most developers will work within an event-driven asynchronous network application framework known as Netty. The OSS can manage maintainable, high-performance protocol servers and clients. Like UDP and TCP socket servers, the client and server framework allows for simplification and a streamlined approach to network programming.

Vulnerable Netty versions, 4.1x before 4.1.46, allowed malicious actors an opportunity to exploit the system. By sending a sizeable ZlibEncoded byte stream to the server, attackers forced the system to reallocate all memory to decoding the stream, essentially allocating all free memory to a single decoder. Later versions, 4.1.46 and newer, fixed the vulnerability.

9. Spring Framework

Spring is a popular development framework for Java applications. It is primarily known for its lightweight and modular design, allowing for the straightforward creation of powerful and robust applications. One of the more popular characteristics is the framework’s inverse technique of the control design principle, incorporating a lightweight container, layering, and the capability of programming on an interface.

The affected versions of Spring include 5.2x before 5.2.3, 5.1x before 5.1.13, and 5.0x before 5.0.16. Spring Framework allowed for a reflected file download attack in these earlier versions. An RFD attack is a web attack vector, and it can give an attacker complete access and control of a victim’s machine through a downloaded file from a trusted domain. In Spring Framework, the vulnerability was possible when setting a Content-Disposition header in response to the user-supplied filename attribute.

10. PyYAML

You have likely heard of PyYAML, a popular YAML emitter and Parser, if you work with Python. While Python seems to increase in popularity every year, many of the tools used for the programming language are relatively new. They require consistent updating to mitigate any potential exploits or vulnerabilities.

Early versions of the PyYAML library present risks through arbitrary code executions, typically occurring when untrusted files are processed with the FullLoader or using the full_load method. The vulnerability could allow attacks to exploit and execute arbitrary code through abuse of the python/object/new constructor, which is why the issue is considered critical.

How To Prevent Software Security Breaches

Developers rely on open-source software and other third-party components to meet the development demands of the current marketplace.Without the plethora of OSS options, software project development’s current scale and speed are not possible. Unfortunately, even though many businesses and development teams understand the risks of implementing OSS, they still do not place high enough concern on security analysis, especially throughout the SDLC.

Many teams view application security as time-consuming and burdensome, preferring to leave it to those finalizing the project or, worse, letting it go to market and see what works. Security is not an afterthought, and it does not have to be a burden. Through appropriate DevSecOps practices, a project can implement security initiatives throughout the life cycle to ensure vulnerabilities are mitigated as the project evolves.

Using vulnerability scanners and other automated tools can help ease the early stages of development. A sound scanner should help teams identify vulnerabilities and exploits while prioritizing those needing immediate correction. The tools should also provide suggestions for mitigation and repair.

Incorporating the best security practices throughout the SDLC does not have to be complex and burdensome. SOOS offers an easy-to-integrate software composition analysis solution that is enticingly affordable for the low monthly rate of $99. Finally, an OSS vulnerability scanning tool for everyone with unlimited users and unlimited scans at an unbeatable price!

Sources:

Copyright © 2022 SOOS| Terms of Service | Privacy Policy