October has come and gone, and It’s time to clear away the ooky spooky Halloween cobwebs and take a look at the new open source security vulnerabilities that plagued us this past month. As usual, our hard-working research team has been sorting through the Mend database to bring you October’s top 5 new open source security vulnerabilities.
Not many people realize that only 86% of reported open source security vulnerabilities are included in the CVE database. That’s why the Mend database continuously aggregates information from a wide variety of sources like the National Vulnerability Database (NVD), as well as other publicly available, peer-reviewed security advisories and issue trackers.
October’s list includes a variety of popular open source projects that reflect the best of what the open source community has to offer. From Requests, the HTTP library for Python to the OG Git project, and a C SSH authentication library that grabbed some headlines as well as quite a few tweets. Whether these vulnerabilities were featured in the news and social media, or not — they reside in some of the most popular open source projects that many of us are using.
Want to find out which new open source security vulnerabilities made the list? Here’s what you need to know about the top vulnerabilities to hit in October. You can speed up your search by using the Mend Vulnerability Checker to see if they are in one of your projects.
Vulnerability Score: High — 9.1 critical
Affected versions: versions 0.6 and above
An authentication bypass vulnerability was discovered in libssh’s server code in versions 0.6 and above. This highly critical issue can enable a client to bypass the authentication process, gain access to a local server with an SSH connection without entering a password, and perform unauthorized actions.
Libssh is a popular open source library written in C, implementing the Secure Shell (SSH) authentication protocol. According to ZDNet, the flaw could leave thousands of enterprise servers using vulnerable versions open to exploits. Unsurprisingly, the dev twittersphere was shocked and amazed by this vulnerability and how easy it makes it for hackers to bypass authentication without any credentials.
Luckily, according to libssh’s update, they released version 0.8.4 and 0.7.6 to address this issue.
Vulnerability Score: Medium — 7.5
Affected versions: before 1.20.3.
Multiple local privilege-escalation vulnerabilities were found in X.Org X Server. The issue could allow attackers to execute arbitrary code under root privileges. According to X.Org’s security advisory, when the X server is running with elevated privileges, the vulnerability might allow files to be overwritten using the -logfile and -modulepath parameters. In addition, this also allows low-privilege users to easily escalate system rights.
X.org server is the open source implementation of the X11 system that helps manage graphics displays, providing the basic functionality that GUIs like GNOME and KDE are designed upon. This critical vulnerability affects OpenBSD, and some versions of the Red Hat, Ubuntu, Debian — who all swiftly provided advisories or patches for the issue.
The detailed security advisory from X.org explains that this recently discovered issue has actually been around for nearly two years, in commit https://gitlab.freedesktop.org/xorg/xserver/commit/032b1d79b7, which “introduced a regression in the security checks performed for potentially dangerous options.”
This issue was another example of how it takes a village to secure open source projects, and the X.Org team credited researcher Narendra Shinde for discovering and reporting the security vulnerability, as well as open source OGs Red Hat Product Security Team for helping to understand its impact.
Vulnerability Score: Medium — 5
Affected versions: before 3.0.2
An XPath injection flaw was discovered in vulnerable versions of xmlseclibs, a popular open source PHP library for XML security, enabling its users to handle encrypted and digitally signed XML documents.
According to Rob Richards, author of xmlseclibs, the issue in vulnerable versions of the library was that user input wasn’t being properly filtered before ending up in the query. This could be exploited by hackers to add new data or modify XML syntax.
Richards explained in the fix posted on GitHub that a filtering function was added to the PHP library, using whitelists instead of blacklists to allow only a subset of characters, specifically letters, numericals, spaces, dashes, and underscores.
You may have noticed that the ID for this issue isn’t the typical CVE ID. That’s because it doesn’t appear in the popular NVD database, and is one of the many vulnerabilities in the WhitesSource database that are aggregated from a security advisory other than the NVD.
Considering xmlseclibs is used by popular open source projects for PHP SAML, like SimpleSAMLPHP, LightSAML, and OneLogin, we highly recommend that you track your system for this vulnerability and update to a safe version if necessary.
You can read more about the security vulnerability’s fix on GitHub.
Vulnerability Score: Medium — 6
Affected versions: before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1
An arbitrary code-execution vulnerability was discovered in multiple versions of Git, the popular open source distributed version control system.
Security researchers found that certain versions of Git fail to properly validate git submodule urls or paths. A remote attacker could exploit this security vulnerability to craft a git repository that causes arbitrary code execution on a target system when recursive operations are used. Failed attempts will most probably lead to denial-of-service.
Veteran Git maintainer Junio C Hamano announced that Git releases 2.14.5, 2.15.3, 2.16.5, 2.17.2, 2.18.1, and 2.19.1 fix the issue and that versions 2.17.2, 2.18.1 and 2.19.1 have a “fsck” check for detecting this type of malicious repository content when fetching or accepting a push. You can learn more about the fsck on GitHub: here and here.
If we are already on the topic, here’s a quick refresher for you. Git is a fast, scalable, distributed revision control system, with an unusually rich command set that provides both high-level operations and full access to internals, according to its GitHub page.
Git has been since the early days of open source, originally written by community leader Linus Torvalds, with the help of a band of merry hackers around the net.
Another fun fact provided by the GitHub project page is that Torvalds originally described Git as “the stupid content tracker.” The rest is history.
Vulnerability Score: Medium — 4.3
Affected versions: through 2.19.1 before 2018-09-14
Last, but certainly not least is a remote attack vulnerability in Requests, the popular open source HTTP library for Python.
Vulnerable versions of the Requests package could expose sensitive information when receiving a specially crafted HTTP header. The package sends an HTTP Authorization header to an http URI when receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to uncover credentials.
Requests is everywhere — the project boasts 11,000,000 monthly downloads, and the Requests project page on GitHub assures readers that all the “cool kids” are using it, and testimonials include such giants as Twitter, Spotify, Microsoft, Amazon, the NSA, Her Majesty’s Government, and the list goes on and on.
Even if don’t consider yourself a cool kid per se, if you’re a Python lover it’s probably best that you check and see if you’re using a vulnerable version of Requests, and make sure that you update ASAP.
This month’s list of top 5 new open source security vulnerabilities proves once again that the most popular open source projects can get hit by a doozie of a vulnerability. Actually, the more active the community maintaining the project is, the higher the chance one of those eyeballs will catch a security issue.
Another risk that rang out loud and clear this month was the use of vulnerable versions of well-trodden open source projects. Sometimes, like in the case of the notorious X.Org vulnerability, a security issue can be discovered in a version that’s been around for years. The vulnerability in the widely popular Git project was found in multiple versions.
This is another reminder that open source security management has to be done continuously, as part of the software development lifecycle. Even though updating a version of a software component deep in your libraries is never a developer’s favorite task, the alternative is worse. That’s why open source security needs to be incorporated into the DevOps cycle, with the automated tools that run without demanding a chunk out of developers’ time, alerting them with all of the necessary details when a vulnerable open source component requires an update or fix.
Catch up on earlier 2018 open source vulnerabilities on our top open source vulnerabilities page.