61,000 open source projects, vulnerable to 15-year-old flaw, now patched

Following discovery of a 15-year-old vulnerability affecting open source projects through Python, Trellix has managed to patch over 61,000 of the ventures affected

Upon launching the Trellix Advanced Research Center in September, cybersecurity researchers at the organisation announced that an estimated 350,000 open source projects were at risk due to the CVE-2007-4559 vulnerability, which has resided in Python systems for over 15 years.

The path traversal vulnerability — found extensively in frameworks created by AWSFacebookGoogle and Intel — has the potential to allow threat actors to overwrite arbitrary files, leading to possible override and control of devices.

Since the discovery in September, 61,895 projects affected have been patched by Trellix, through the software development platform GitHub, with the work being led by Kasimir Schulz and Charles McFarland.

Researchers received a list of repositories and files that contained the keyword “import tarfile”, which allowed them to clone and scan each repository using the free Trellix tool Creosote, to determine which needed to be patched.

An automated process called ‘pull request’ allows code — created and worked on between developers and community members — to be delivered to vulnerable projects.

From here, users overseeing the projects can review the new code, and request collaboration or clarification if needed, before accepting the code for patching.

The pull request process allows for unique patches to work on a case-by-case basis, at scale.

“Our team took inspiration from Jonathan Leitschuh’s DEFCON 2022 talk on fixing vulnerabilities at scale,” said Douglas McKee, principal engineer and director of vulnerability research at Trellix in a blog post.

“Our Advanced Research Center vulnerability team was able to automate most of the processes, except for quality control. We broke the process into two steps, the patching phase and the pull request phase, both of which were automated and simply needed to be executed.”

The benefits of collaboration

Through patching and automating vulnerable projects, the software supply chain attack surface present in the base Python package has been narrowed.

McKee added: “This work to narrow the attack surface cannot be done without collaboration across our industry.

“As an industry we cannot afford to ignore the need to seek out and eradicate foundational vulnerabilities. Mass patching of open-source projects can be done, even if it takes a lot of time, and it can deliver benefits to organisations of all sizes, across sectors and regions.

“To properly prevent the reintroduction of past attack surfaces, it’s critical that every organisation using code libraries and frameworks in their applications have proper checks and evaluation measures in place to ensure full transparency into their software supply chain, while also making sure their developers are educated on all layers of the technology stack.”

Related:

Cybersecurity predictions for 2023Cyberattacks will become even more prevalent this year, predict experts, with attackers not only going after cloud hosting services but also hacking the Metaverse. We talk to seven experts about their cybersecurity predictions in 2023.

Combating common information security threatsWhat are the security threats most often faced by businesses today and how can they be overcome?

Safeguarding the open source model amidst big tech involvementExploring how open source model licences can be safeguarded amidst increasing big tech involvement.

Avatar photo

Aaron Hurst

Aaron Hurst is Information Age's senior reporter, providing news and features around the hottest trends across the tech industry.