As many as 350,000 open source projects are believed to be potentially vulnerable to exploitation due to a security flaw in a Python module that hasn’t been patched in 15 years.
The open source repositories span a number of verticals, such as software development, artificial intelligence/machine learning, web development, media, security, and IT management.
The flaw, tracked as CVE-2007-4559 (CVSS score: 6.8), is rooted in the tarfile module, successful exploitation of which could lead to code execution from any file write.
“The vulnerability is a path traversal attack in the extract and extractall functions in the tarfile module that allows an attacker to overwrite arbitrary files by appending the ‘..’ string to file names in a TAR archive,” it said. Trellix security researcher Kasimir Schulz in a write-up.
Originally revealed in August 2007, the bug relates to how a specially crafted tar archive can be used to overwrite arbitrary files on a target computer simply by opening the file.
Simply put, a threat actor can exploit the weakness by uploading a malicious tar file in a way that allows it to escape from the directory to which a file is to be extracted and achieve code execution, potentially allowing the adversary control a target can grab device.Read:iPhone 14 Pro and Galaxy Z Fold Show How Phones Are Evolving
“Never pull archives from untrusted sources without prior inspection,” reads the Python documentation for tarfile. “It is possible that files will be created outside the path, e.g. members with absolute file names starting with “https://news.google.com/” or file names with two periods ‘..’.”
The vulnerability is also reminiscent of a recently revealed security flaw in RARlab’s UnRAR utility (CVE-2022-30333) that could lead to remote code execution.
Trellix has also released a custom utility called Creosote to scan for projects vulnerable to CVE-2007-4559, and is using it to discover the vulnerability in the Spyder Python IDE and Polemarch.
“Unchecked, this vulnerability has been inadvertently added to hundreds of thousands of open and closed source projects around the world, creating a significant attack surface for the software supply chain,” noted Douglas McKee.
Read:Man pulls 11 cell phones– but not his– from Charles River during third date – Boston News, Weather, Sports