Summer is officially here, reminding us once again to appreciate the air conditioned offices that allow us to aggregate and track open source security vulnerabilities without breaking into a sweat.
Another gift that comes with the end of May is our list of top 5 new open source vulnerabilities that were published in May.
We’ve put together a list of May’s top 5 new known open source security vulnerabilities, aggregated by the Mend database, which is updated continuously from the National Vulnerability Database (NVD), and of course a wide number of open source publicly available, peer-reviewed security advisories.
Our top 5 list of projects hit by vulnerabilities this month consists of old favorites and some newcomers. Some of them were published in the NVD and some were made public in less popular trackers.
You might be surprised to see that some of these tools and libraries are being used by you and your team daily. Some of this month’s vulnerabilities are embedded deep within the infrastructure of the communication networks we use all day.
Vulnerability Score: Critical — 10
Affected versions: All
Node-macaddress, an open source module that retrieves MAC addresses in Linux, OS X, and Windows, and is now vulnerable to command injection attacks.
The node-macaddress library allows users to locate the MAC address per network interface and chooses an appropriate interface if a user is interested in a specific MAC address identifying the host system.
An extremely popular library, node-macaddress averages over 900,000 weekly downloads. That leaves a whole lot of systems very vulnerable to command injection attacks.
Unfortunately, so far no fix is available for this vulnerability. At this time, researchers recommend to not install or use this module until a fix is provided.
You might have noticed that the vulnerability ID for this issue is not the common CVE ID, rather is starts with WS. That’s because this critical vulnerability has not yet been added to the NVD database. While the NVD is comprehensive and widely well regarded, many don’t know that it doesn’t cover all open source vulnerabilities, and that there are other vulnerability databases out there that Mend is tracking to keep our customers covered.
This node-macaddress vulnerability (WS-2018-0113) is one example. It was discovered by a security researcher and published in an advisory that is not included in the NVD’s database. This is the reason Mend’s open source vulnerability database extends beyond NVD vulnerabilities, and continuously aggregates data from additional security sources.
Vulnerability Score: High — 8.6
Affected versions: before 2.0.0
Base64-url is an open source project that enables Base64 encoding, decoding, escape and unescape for URL applications.
Versions of base64-url before 2.0.0 were found to be vulnerable to out-of-bounds read because it allocates uninitialized buffers when a number is passed in input.
This could allow attackers to extract sensitive data from uninitialized memory or to cause a Denial of Service (DoS) by consuming the memory when large numbers are passed on input (for example, from user-submitted JSON-encoded data).
In order to remediate this security issue, users need to update to version 2.0.0 or later.
For more information about updating to safer versions, visit here.
Vulnerability Score: High — 6.8
Affected versions: before versions 2.1.4, 2.2.1
Vulnerable versions of Ansible are at risk of improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system managed by Ansible, that is able to send facts back to the Ansible server, could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.
Ansible, a dream come true for DevOps, is an IT automation platform dedicated to making it easier to deploy applications and systems. According to their documentation, Ansible’s main goals are simplicity and ease-of-use, and one of their main design principles is to “be the easiest IT automation system to use, ever.” If that’s not enough to make them a favorite for developers and the rest of the cool kids, their releases are named after Led Zeppelin songs (or in some cases, Van Halen’s.)
Vulnerability Score: High — 7
Affected versions: before versions 2.44, 2.32.2
Vulnerable Jenkins versions allow low privilege users to act on administrative monitors intended for admins, because they aren’t being consistently protected by permission checks.
Administrative monitors are warnings about the system state, a useful feature for Jenkins admins. These actions were not consistently protected by permission checks, thereby allowing low privilege users to act on them.
All administrative monitors now require the user accessing them to be an administrator.
Jenkins, the Java-based, open source CI server, is another hero of DevOps. Its many satisfied customers cite the fact that Jenkins is a cross-platform tool, and that it offers configuration through a GUI interface as well as console commands. Users are also happy with the large open source community behind Jenkins, enabling flexibility, a comprehensive plugin list, and strong community support.
Since the build server is where development teams prepare all of their code for distribution, high and consistent protection of admin privileges are a must to defend against that pernicious “insider threat” or an attacker who has gained a lower level access and is moving laterally within your organization.
Vulnerability Score: High — 7.5
Affected versions: Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier
Red Hat announced that a command injection flaw has been uncovered in a script included in the DHCP client (dhclient) packages in Red Hat Enterprise Linux 6 and 7.
According to Red Hat’s security update, a malicious DHCP server, or an attacker on the local network, could attempt to spoof DHCP responses and use this flaw to execute arbitrary commands.
Proving once again that the open source community is quick to cooperate and share in matters of security even across corporate lines, Red Hat also included a shout-out to the Google Security Team for reporting this flaw.
You can find more information about this vulnerability and its fix here.
May’s list of new open source security vulnerabilities teaches us a tough lesson in knowing your code.
This month’s vulnerabilities include projects that are at the background of every dev teams’ daily tasks, and I’d venture a guess that most developers don’t give them a second thought. Whether it’s running our build or communication with servers or within our network, code hygiene cannot be ignored or taken for granted.
The popularity of tools like Jenkins and Ansible shows us that more and more teams are adopting the DevOps approach and are using great tools to work in the Agile approach. The only way to make sure that your open source security is being managed, and that you aren’t using any vulnerable components, is to adopt that same approach to open source security, and integrate a tool that will track and alert on your open source components continuously, throughout the DevOps pipeline.
Want to catch up on earlier 2018 open source vulnerabilities? Visit our monthly top vulnerabilities page.