The dog days of summer are upon us, and while we’ve been busy debating whether it’s the heat or the humidity (it’s the humidity), or testing the capabilities of central air conditioning, our trusty database has continued to aggregate open source security data, so that we can all try to chill, assured that the open source components that we are all using are secure.
Our research team has put together a list of July’s top 5 new known open source security vulnerabilities, collected by the WhiteSource database, which is updated continuously from the National Vulnerability Database (NVD), as well as several additional publicly available, peer-reviewed security advisories and issue trackers.
July’s top 5 list of vulnerable open source components has some old favorites that many of us are probably using, even though we might not even know it. Some of the components have been loyalty maintained since the 90’s, and some are exciting new automation tools. Either way, you’ll want to go over the list and make sure that your open source components are up to date and spick and span.
Security researchers discovered a local security-bypass vulnerability in the Linux Kernel.
A vulnerability in the keyring in the Linux kernel might mistakenly allow special internal keyrings from being joined by userspace keyrings. Hackers can exploit this vulnerability to access authentication by bypassing certain security restrictions like module verification and perform unauthorized actions that could help them perform additional attacks.
Considering the popularity of the Kernel and how ubiquitous the Linux Kernel is in enterprise software development, we highly recommend users check and make sure that they are using an updated, vulnerability free version.
The hard working folks at Linux have already provided a fix for this vulnerability. You can find more information about remediation here and here, or read about other Linux Kernel vulnerabilities discovered this year here.
A heap-based buffer overflow issue was found in cURL, a command line tool and library for transferring data with URL syntax.
The buffer overflow occurs when sending data over SMTP and using a reduced read buffer. A malicious remote user that triggers these conditions on the target system could cause denial of service or execute arbitrary code on the target system.
This vulnerability is a sticky one, since cURL is used in cars, routers, printers, audio equipment, mobile devices like tablets and phones, media players and more. The cURL project page boasts that cURL is the internet transfer backbone for thousands of software applications affecting billions of humans daily, so an unchecked security vulnerability might cause organizations and individuals costly damage.
This hefty three for one special is brought to you by another open source OG, Samba —the open-source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol that allow PC-compatible machines to share files, printers, and information.
These three issues found in Samba this July could allow remote users to hijack connections and allow remote authenticated users to obtain sensitive information.
The first issue, CVE-2017-12150, is a Man-in-the-Middle (MitM) security bypass vulnerability, due to vulnerable versions of Samba not enforcing “SMB signing” when specific configuration options were enabled. This could allow an attacker to bypass security restrictions and retrieve information using a MitM attack. The Samba team has already provided a fix.
In the second vulnerability, CVE-2017-12151, the client software doesn’t properly sign and encrypt DFS redirects when certain settings are used for the the max protocol for the original connection. The connection could lose the requirement for signing and encrypting to any DFS redirects, resulting in an attacker reading or altering the content of the connection via a man-in-the-middle attack. The good folks at Samba have provided information about the issue and its remediation.
The third Samba vulnerability that we’re putting in the spotlight this time is CVE-2017-12163, an arbitrary file write vulnerability that might allow remote information disclosure. A remote authenticated user can send specially crafted SMB1 data to cause portions of server memory content to be written to a file on the target Samba share or to a shared printer. The Samba team has you covered with a fix.
Samba has been around since the early 90’s to provide file and print services for clients using SMB/CIFS protocols such as all versions of DOS and Windows, OS/2, Linux and more. That means that it exists in many of the systems used in organizations. These vulnerabilities have affected products from giants like HP, Debian, and redhat, to name a few.
An improper data validation issue was found in vulnerable versions of Ansible, when handling data sent from client systems. An attacker with control over a client system managed by Ansible that is able to send facts back to the Ansible server, could exploit this vulnerability to bypass certain security restrictions and execute arbitrary code on the Ansible server using the Ansible server privileges.
Compared to the rest of the projects featured this week, Ansible is a new kid on the open source block, a favorite with the DevOps crews. Iit is an IT automation platform dedicated to making it easier to deploy applications and systems so that developers can work better and faster together, true to open source practices. According to their documentation, Ansible’s main goals are simplicity and ease-of-use, and one of their top design principles is to “be the easiest IT automation system to use, ever.” If that’s not enough to make them a favorite for developers and the rest of the cool kids, here’s another fun fact: their releases are named after Led Zeppelin songs (or in earlier versions, Van Halen’s.)
You can find more information about the vulnerability and its remediation on github.
Vulnerable versions of libpng handle certain PNG files incorrectly, because of a miscalculation in the png_check_chunk_length function. This issue could trigger an integer overflow when processing a crafted PNG file, which hackers could exploit to cause a denial of service.
libping, the official PNG reference library, is another veteran open source project to develop and maintain the reference library for applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. The project has been up and running and in extensive use and testing since the mid ‘90’s. How many developers do you know that can say that?
Those were our top picks for July’s top 5 new open source security vulnerabilities list. July’s batch clearly shows that the open source community continues to review and analyze open source components for security issues, and that no project is immune to vulnerabilities, no matter how long it’s been around, or how popular it is.
In fact, the bigger the community using and maintaining an open source project, the more eyes there are to check for security issues and supply fixes. The next step is up to us users — our software projects have to be continuously tracked so that we can be alerted immediately if we are working with a vulnerable component.
An automated tool for managing open source security in organizations, can track open source usage throughout the development life cycle and match open source components against a continuously updated open source database to ensure that you are alerted about any known open source security vulnerabilities that are found in your code, and that you are provided with all the information that you need in order to resolve the issue. You can see how it works, for free, with the new WhiteSource Vulnerability Checker.
Want to catch up on earlier 2018 open source vulnerabilities? Visit our top open source vulnerabilities page.