Many organizations utilize a range of open source products like code libraries, operating systems, applications, and software for some business requirements. It’s a widespread belief that using open source has many advantages like cost, speed, and flexibility; however, it can also have some pretty unique security challenges.
The fact that today open source components are used in more than 95% of commercial applications, how can a developer ensure that the software they use and their application is secure?
Why are Open-Source Components so Vulnerable to Security Risks?
The quick release cycles of open source projects can prove to be tough to stay abreast with. The positive aspects of these quick releases are the frequent rollout of new patches and features. However, checking each new version for potential vulnerabilities can prove to be a full-time job. By the time a developer is done with managing potential risks in one release, a new release is ready to roll out into the market. While having an automated system to perform these scans and checks will help, it’s far from a failsafe way to identify all potential flaws.
Open-Source Software (OSS) is often considered more secure than its counterparts thanks to the sizeable user-base testing the software, identifying bugs and potential DevOps security flaws. However, having more eyes searching for a potential problem is not always enough when trying to catch security issues. While most users may know enough to implement specific mainstream fixes, advanced topics like cryptography and similar require specialists to review code.
Dependencies in OSS projects allow certain vulnerabilities to slip under the scanner. Projects using little known third-party libraries sourced from package managers can pass on vulnerabilities that are difficult to spot. Some developers fix version ranges which ensures that future patches are made available. However, dependencies that are few projects removed can prove to be difficult to see and is, therefore, likely to be vulnerable to attack.
Top 6 Open Source Risks and How to Beat Them
Linux Kernel Netfilter: xt_TCPMSS
- Versions: Linux kernel before 4.11, and 4.9.x before 4.9.36
One of the reasons the previous year witnessed a large number of Linux vulnerabilities is because the Linux community is extremely active and combs through their projects regularly. This vulnerability has been included in the list instead of other Linux vulnerability because of popularity and extent of use of the vulnerable Linux versions.
netfilter: xt_TCPMSS is at the kernel level, and assists network communication filtration by determining the maximum size of the segment allowed when in the process of accepting TCP headers.
Malicious users can potentially exploit this flaw and execute a DOS attack. They can possibly send a flood of communications to knock the system offline. Given that this component is located on the system foundation, the adverse effects could be wide-ranging as well as destructive.
- Affected versions: All versions before 0.2.9
The month of May witnessed a security vulnerability in node-macaddress. Node-macaddress is the open source module tasked with retrieving MAC addresses in Linux, Windows, and OS X. The vulnerability made it public to command injection-based attacks.
The node-macaddress library allows users to locate MAC addresses per network interface. It also allows them to select an interface when a particular MAC address is used to identify the host system.
This library is quite popular and averages 563,699 downloads per week. According to an advisory by NPM, users need to update to versions 0.2.9 or later.
- Affected versions: 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1
- Affected versions: multiple subsystems of Drupal 7.x and 8.x
In March, many versions of the open source content management platform were vulnerable to attacks thanks to an input validation problem in Drupal core.
The Drupal admin team published a statement that let site admins know of a security release coming up during the following week. Administrators were asked set aside time for core updates as many exploits may develop in the coming hours and days.
Given that some Drupal admins were in the process of containing the chaos, a recent security vulnerability was reported in April. In this case, the Drupal security advisory warned of a new vulnerability – Remote Code Execution – in the Drupal core. The new vulnerability was related to CVE-2018-7600 and resulted from a fix that did not cover all the possibilities.
Security research published two months after the first incident found
Spring Data Commons
- Affected versions: versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported version
April witnessed two security vulnerabilities within the Spring Data Commons project.
CVE-2018-1273, the more critical of the two vulnerabilities allowed hackers to assume control over systems and execute unauthorized operations using a remote code execution.
CVE-2018-1274 though slightly less critical was a property path parser vulnerability. This was due to the allocation of unlimited resources. Unauthenticated, remote hackers were able to send out requests against endpoints via property path parsing or Spring Data REST endpoints to bring about a denial of service.
- Affected versions: through 2.19.1 before 2018-09-14
Users identified vulnerable versions of the Requests package that could leak sensitive information on acceptance of a specially designed HTTP header. This was occurring because the package in question was issuing an HTTP authorization to an HTTP URL when receiving a same-hostname https-to-HTTP redirect. This made it simpler for remote attackers to unearth credentials.
The Requests website mentions an average of 400k downloads every day. It also lists public organizations like Google, Nike, Spotify, Twitter, Microsoft, BuzzFeed, Amazon, Reddit, and Lyft among others.
You can read more about the fix on GitHub.
Apache Struts REST Plugin
- Affected versions: 2.1.1 – 188.8.131.52
A vulnerability in the Apache Struts REST plugin made headlines when it was published in April 2018. This was little over a year after the disclosure of the Struts 2 vulnerability Equifax had earlier ignored.
This particular flaw allowed attackers at a remote location to create a denial of service conditions. This was done by sending a specially crafted XML request via the XStream handler with the Struts REST plugin. This stopped the targeted software from functioning.
Open source security vulnerabilities increased by 51% in 2017, and 2018 proved to have the same number of open source flaws.
The open source user community focuses on identifying and resolving security vulnerabilities; however, trends indicate that the number of published vulnerabilities will not be reducing. Thankfully, about 97% of reported vulnerabilities have a minimum of one suggested fix within the community.