Trellix research has revealed that an estimated 350,000 open source projects are at risk due to the CVE-2007-4559 vulnerability, which has resided in Python systems for 15 years
The CVE-2007-4559 vulnerability being explored by extended detection and response (XDR) provider Trellix exists in the Python tarfile module, which comes as default in any project using the common open source development tool Python.
Also prevalent in closed source projects, the vulnerability is found extensively in frameworks created by AWS, Facebook, Google and Intel, along with applications used for machine learning, automation and docker containerisation.
This can be exploited by uploading a malicious file generated with two to three lines of simple code, allowing for arbitrary code execution, or control of a target device by threat actors.
Open source has been increasingly explored by startups and entrepreneurial developers, for increased personalisation of products and services, as well as cost-effectiveness and collaboration — without the drawback of vendor lock-in.
“When we talk about supply chain threats, we typically refer to cyber attacks like the SolarWinds incident, however building on top of weak code-foundations can have an equally severe impact,” said Christiaan Beek, head of adversarial & vulnerability research at Trellix.
“This vulnerability’s pervasiveness is furthered by industry tutorials and online materials propagating its incorrect usage. It’s critical for developers to be educated on all layers of the technology stack to properly prevent the reintroduction of past attack surfaces.”
New Advanced Research Center launched
The research is being presented today in line with the establishment of the Trellix Advanced Research Center, to advance global threat intelligence.
Comprised of hundreds of security analysts and researchers from across the world, the centre will look to produce actionable real-time intelligence and threat indicators to help Trellix customers detect, respond and remediate the latest cyber security threats.
“The threat landscape is scaling in sophistication and potential for impact,” said Aparna Rayasam, chief product officer at Trellix.
“We do this work to make our digital and physical worlds safer for everyone. With adversaries strategically investing in talent and technical know-how, the industry has a duty to study the most combative actors and their methods to innovate at a faster rate.”
Related:
Open source brings faster path to security for majority of CISOs — According to Aqua Security research, the majority (70%) of CISOs believe that open source software (OSS) offers a faster path to security of environments.
Safeguarding the open source model amidst big tech involvement — Dima Lazerka, co-founder of VictoriaMetrics, discusses how the open source model community can be safeguarded amidst increasing big tech involvement.