Trellix and GitHub collectively fixed a total of 61,895 open source projects. These projects were found to be affected by a 15-year-old path traversal vulnerability in Python’s tarfile module.
The company’s Advanced Research Center team has confirmed that CVE-2007-4559 is used in an estimated 350,000 open source projects and an unknown number of closed source projects 15 years after it was first discovered. later highlighted the prevalence of CVE-2007-4559 in September 2022. thing.
The team stumbled upon the vulnerability while researching an unrelated issue and initially thought it was a brand new zero-day, but after they started pulling threads, they were actually looking at an “extraction” veteran bug I noticed that. The “extractall” function of Python’s tarfile module.
Exploitation of CVE-2022-4559 allows a user-assisted remote attacker to overwrite arbitrary files via a specific sequence of filenames within a TAR archive, execute arbitrary code, or overwhelm a target device. You can control
In October 2007, this bug was deemed to be of low severity, and frameworks created by Amazon Web Services, Google, Intel, Netflix, and several others used for machine learning, automation, and Docker containerization. is still prevalent in multiple frameworks, including applications for .
Since then, the team has been working on a four-month effort to automate patching of vulnerable open source projects, said Doug McKee, principal engineer and director of vulnerability research at Trellix. Jonathan Rightschu. “Through GitHub, developers and his members of the community can push code to projects or repositories on the platform through a process called pull requests,” he said. “Once a request is opened, the project maintainers will review the proposed code, request collaboration or clarification if necessary, and accept new code. In our case, code pushed via a pull request is , delivered a patch specific to each of his vulnerable GitHub projects.
“Having outlined the process for automating patching, the Advanced Research Center Vulnerability Team was able to automate most of the process except quality control. We split it into two steps, both of which were automated and we just had to do them.”
After retrieving a list of repositories and files containing the keyword “import tarfile” from GitHub, the Trellix team compiled a unique list of repositories to scan and performed a vulnerability check for an app called Creosote created for that purpose. I used the tool to clone and scan the respective repository. When Creosote found a vulnerable repository, the team patched the files and created a local patch diff containing the patched files so that the original files and the repository metadata could be compared.
Once this is done, the team will go through a list of local path diffs, fork and clone the vulnerable repository, and if they find that the original files haven’t changed in the interim, they will replace the original files with with the patched file. Avoid overwriting other changes.
Then the changes were committed to the vulnerable repository, a pull request was created from the forked repository back to the original repository, and the repository owner was explained what was going on. It’s up to the repository owners themselves to accept the patch, he added.
“The vulnerable tarfile module is included in the base Python package and is an out-of-the-box solution to common problems. It’s tightly embedded,” he said.
“Coupled with the fact that nearly all learning material on how to properly use the tarfile module teaches developers how to use it improperly, it is persistent and creates a broad attack surface. Vulnerable Through these efforts to automate projects and apply patches, the attack surface of the software supply chain is reduced.
“This work to reduce the attack surface cannot be done without the cooperation of the entire industry,” added McKee. “As an industry, we cannot ignore the need to find and eradicate underlying vulnerabilities. It can benefit organizations of all sizes.”
He urges all organizations using code libraries and frameworks in their applications to put in place appropriate checks and evaluation measures for proper visibility into their software supply chain, and educates them on all layers of technology. Emphasized the importance of relying on developers to receive. stack.