Trellix Advanced Research Center published its research into CVE-2007-4559, a vulnerability estimated to be present in over 350,000 open-source projects and prevalent in closed-source projects.
The vulnerability exists in the Python tarfile module which is a default module in any project using Python and is found extensively in frameworks created by Netflix, AWS, Intel, Facebook, Google, and applications used for machine learning, automation and docker containerization.
The vulnerability can be exploited by uploading a malicious file generated with two or three lines of simple code and allows attackers arbitrary code execution, or control of a target device.
“When we talk about supply chain threats, we typically refer to cyber-attacks like the SolarWinds incident, however building on top of weak code-foundations can have an equally severe impact,” said Christiaan Beek, Head of Adversarial & Vulnerability Research, Trellix. “This vulnerability’s pervasiveness is furthered by industry tutorials and online materials propagating its incorrect usage. It’s critical for developers to be educated on all layers of the technology stack to properly prevent the reintroduction of past attack surfaces.”
Open-source developer tools, like Python, are necessary to advance computing and innovation, and protection from known vulnerabilities requires industry collaboration. Researchers are working to push code via GitHub pull request to protect open-source projects from the vulnerability.
A free tool for developers to check if their applications are vulnerable is available on GitHub, and the complete research is available at Trellix.