As many as 350,000 open source projects are said to be potentially vulnerable to exploitation due to a security flaw in a Python module that hasn’t been patched for 15 years.
Open source repositories span a number of verticals, such as software development, artificial intelligence/machine learning, web development, media, security, and IT management.
The gap, followed as CVE-2007-4559 (CVSS score: 6.8), is rooted in the tarfile module, the successful exploitation of which could lead to code execution from an arbitrary file write.
“The vulnerability is a path traversal attack in the extract and extract functions of the tarfile module that allows an attacker to overwrite arbitrary files by appending the sequence ‘..’ to filenames in a TAR archive “, said Kasimir Schulz, security researcher at Trellix. said in an editorial.
Originally disclosed in August 2007, the bug has to do with how a specially crafted tarball can be exploited to overwrite arbitrary files on a target machine simply by opening the file.
Simply put, a malicious actor can exploit the weakness by uploading a malicious tar file in a way that allows escaping the directory a file is intended to be extracted to and executing code, allowing the adversary to potentially take control of a target. device.
“Never extract archives from untrusted sources without first inspecting”, the Python documentation for tarfile bed. “It is possible for files to be created outside the path, for example members whose absolute filenames begin with “https://thehackernews.com/” or filenames with a colon ‘…’. “
The vulnerability is also reminiscent of a recently disclosed security flaw in RARlab’s UnRAR utility (CVE-2022-30333) that could lead to remote code execution.
Trellix has additionally released a custom utility called Creosote to scan for projects vulnerable to CVE-2007-4559, using it to discover the vulnerability in the Spyder Python IDE as well as in Polemarch.
“Left unchecked, this vulnerability has been unintentionally added to hundreds of thousands of open source and closed projects worldwide, creating a substantial software supply chain attack surface,” Douglas McKee Noted.