Sunday, September 25, 2022
Home Tech News Hundreds of thousands of applications at risk from unpatched Python bug, say...

Hundreds of thousands of applications at risk from unpatched Python bug, say researchers

Over 350,000 open-source repositories may be open to compromise because they include a Python module containing an unpatched 15-year-old vulnerability.

That’s the finding of researchers at Trellix, who said the hole, CVE-2007-4559, is in Python’s tarfile module, which isn’t properly checking for path traversal vulnerabilities. A developer could inadvertently include the vulnerability in their own code, say researchers — and, they suggest, developers have been doing it for years.

“Today, left unchecked, this vulnerability has been unintentionally added to hundreds of thousands of open- and closed-source projects worldwide, creating a substantial software supply chain attack surface,” the researchers said Wednesday in a blog.

The long-forgotten hole was discovered while researchers were investigating an unrelated vulnerability. While the vulnerability was originally only marked as a 6.8 severity, the researchers were able to confirm that in most cases an attacker can gain code execution from an arbitrary file write. For a detailed technical understanding of the CVE and the technical consequences of an attack, see this separate blog.

With GitHub’s co-operation, the researchers were able to determine there were around 2.87 million open-source files containing Python’s tarfile module in about 588,000 unique repositories. Of those, an estimated 350,000 unique open-source repositories in a vast number of industries will be vulnerable to attack.

The blog notes that Python documentation warns developers about the tarfile problem, urging them to never extract archives from untrusted sources without prior inspection.

Briefly, the actual vulnerability arises from two or three lines of code using un-sanitized tarfile.extract() or the built-in defaults of tarfile.extractall(). Failure to write any safety code to sanitize the tarfile member’s files before calling tarfile.extract() or tarfile.extractall() results in a directory traversal vulnerability, enabling a bad actor to access the file system.

Trellix has created automated tools to start issuing fixes for open-source code it sees in GitHub and other code websites. So far it has patches for 11,005 repositories, ready for pull requests. Each patch will be added to a forked repository and a pull request made over time. This will help individuals and organizations alike become aware of the problem and give them a one-click fix, Trellix says.

Over the next few weeks, just over 12 per cent — about 70,000 projects — could be fixed if all the Pull Requests are accepted by the project maintainers.

“The real solution is to tackle the root of the problem,” says Trellix researcher Charles McFarland. “That is, diligent security assessments of open-source code and timely patching. N-days should be measured in days, not years. We need to ensure we are doing our due diligence to audit OSS [open-source software] and not leave vulnerable code in the wild to be exploited. If this tarfile vulnerability is any indicator, we are woefully behind and need to increase our efforts to ensure OSS is secure.”

- Advertisment -

Most Popular

Brock Boeser refocused on hockey as Vancouver Canucks kick off training camp

Brock Boeser believes this is his year. The Vancouver Canucks right-winger struggled at times last season while dealing with the declining health of his father,...

From 3D glasses to her first broadcast, Queen Elizabeth and technology throughout the years

It’s been 96 years of innovation (Picture: Getty Images/PA)From 3D speeches and Paddington Bear sketches to her first tweet and passion for photography, here’s...

T-Mobile adds domestic United flights to its free in-flight Wi-Fi roster

/ United joins Alaska and Delta on T-Mobile’s list of airlines with in-flight Wi-Fi included in Magenta and Magenta Max planT-Mobile continues adding...

Shattered Dreams and Bills in the Millions: Losing a Baby in America

The day after his 8-month-old baby died, Kingsley Raspe opened the mail and found he had been sent to collections for her care. That notice...