Top 10 Open Source Software Flaws in 2018
Top security flaws affecting open source products or technologies that caused a huge volume of security incidents.
Wednesday, January 23, 2019
Open source frameworks, components and libraries are an inseparable part of web application development and maintenance in today’s landscape. In 2017, a report found that as many as 96% of applications contained open source components.
As with all software, these components are not always secure all the time. Independent security researchers work with open source developers and vendors to find and mitigate security flaws as they’re discovered. Open source vulnerabilities are generally tracked through the NIST National Vulnerability Database.
The good news is that, for the most part, open source vendors are quick to patch vulnerabilities when found. On its own, this is not not enough to keep applications secure. The Equifax breach (the security event that raised the issue of vulnerability patching higher in the public consciousness and which cost the organization at least $242.7 million) was caused by a failure to apply security updates that had fixed the flaw two months previously.
This raises the important issue: flaws may be patched by the supplier/vendor, but companies are not safe until they apply those patches to their own implementation.
Here are 10 new open source security flaws and exploits seen in 2018.
10: Vulnerability in Magento extensions abused by Magecart
Reference: CVE-2016-4010
Discovered: October 2018
Type of exploit: PHP Object Injection
There are thought to be at least 12 different Magecart hacking groups. The target is always payment card details – Magecart was behind the British Airways and TicketMaster. Magecart’s method of compromise varies – but one of the groups targeted Magento extensions.
In October 2018, it was disclosed that at least 20 different extensions all contained a similar vulnerability; and all were being targeted by Magecart. The attack was a PHP Object Injection abusing the PHP unserialized() function allowing the insertion of malicious code.
The Magento platform had itself contained the same vulnerability, which was fixed by replacing the PHP unserialize() function with json_decode(). Unfortunately, the extension authors did not do the same.
At the time of disclosure, researcher Willem de Groot knew there were 20 extensions being targeted, but didn’t know which ones they were. He had discovered only two. The first, the Webcooking_SimpleBundle Magento extension, was reported to the maker and fixed within hours. The second, TBT_Rewards, had been abandoned by the author months earlier. Since this will not be fixed – highlighting the huge problem of legacy software – it needs to be replaced.
9: Peekaboo Attack
Reference: CVE-2018-1149
Disclosed: September 2018
Type of exploit: Privilege escalation/broken authentication
The Peekaboo vulnerability affects some internet connected recording devices running NUUO’s firmware. This includes various products in NUUO’s line of CCTV surveillance and storage hardware. The vulnerability was found in an open source web server used by some NUUO products, and would allow attackers remote access to view and even alter video footage.
There was no recorded malicious exploitation of Peekaboo prior to the zero-day proof of concept, but this is 2018’s most prominent open source vulnerability that pertains to IoT devices. Allowing hackers to remotely seize control of surveillance devices is definitely bad news for both data protection and privacy, and potential IoT DDoS attacks.
8: Jenkins Data Leaks
References: CVE-2018-1999001 and CVE-2018-1999043
Disclosed: January, July and August 2018
Type of exploit: Data exposure
Jenkins is a Java-based web application server designed to help with certain phases of software development. It is a part of many open source based supply chains, and therefore often processes sensitive internal data. In the case of broken authentication flaws, attackers might access this data without leaving a single trace, and such authentication flaws have plagued Jenkins throughout 2018.
The first issue discovered this year is not tracked in the NVD, but was reported by security researcher Mikail Tunç. He found that 10-20% of all Jenkins servers had misconfigured user authentication. These servers were exposing such things as sensitive proprietary code and login credentials. This was compounded in the summer, when researchers from CyberArk discovered two further flaws. These new vulnerabilities would allow malicious users to bypass authentication to Jenkins servers gaining free, traceless access to any sensitive data.
7: BatchOverflow flaw rocks the Ethereum smart contract world
Reference: CVE-2018–10299
Disclosed: April 2018
Type of exploit: BatchOverflow
A batchOverflow flaw was discovered in Ethereum-based ERC-20 smart contracts when blockchain security firm PeckShield detected an absurdly large BEC token transaction (0x8000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000). This happened twice to two different addresses.
The dollar value of these transactions at the then current exchange rate was quite simply ridiculous. Numerous cryptocurrency exchanges immediately suspended accepting ERC-20 deposits. OKEx (Hong Kong, the world's third largest exchange) announced, “We are suspending the deposits of all ERC-20 tokens due to the discovery of a new smart contract bug – ‘BatchOverFlow’. By exploiting the bug, attackers can generate an extremely large amount of tokens, and deposit them into a normal address. This makes many of the ERC-20 tokens vulnerable to price manipulations of the attackers.”
PeckShield discovered similar flaws in more than a dozen other ERC-20 smart contracts, and attempted to contact the authors. Its efforts at getting the flaw fixed was made more difficult by the lack of any central security overview for smart contracts. “With the touted ‘code-is-law’ principle in Ethereum blockchain, there is no traditional well-known security response mechanism in place to remedy these vulnerable contracts,” commented PeckShield.
6: WordPress GDPR Compliance extension actively exploited
Reference: CVE-2018-19207
Disclosed: November 2018
Type of exploit: Privilege escalation
A privilege escalation flaw was discovered in Van Ons WP GDPR Compliance (aka wp-gdpr-compliance) when several WordPress blog admins noticed unusual activity on their sites, and discussed the effects on the WordPress support forum. A comparison of plug-ins used by the different operators narrowed the problem down to the GDPR Compliance plug-in. At this point the moderator asked for the issue to be raised with the plug-in author and closed the discussion.
At the time, the plug-in had 100,000 active installs. The flaw was fixed within 24 hours by the plug-in developer. Meanwhile, Wordfence reported, “By leveraging this flaw to set the users can register option to 1, and changing the default role of new users to ‘administrator’, attackers can simply fill out the form at /wp-login.php?action=register and immediately access a privileged account. From this point, they can change these options back to normal and install a malicious plugin or theme containing a web shell or other malware to further infect the victim site.”
Users of this plug-in before the current version should look for changes in their database. The most obvious symptom of compromise would be new users with admin privileges.
5: Event-Stream
Reference: Not tracked
Disclosed: November 2018
Type of exploit: Cryptojacking malware delivery
Event-stream is a popular package in the NPM open source JavaScript repository. The package helps with data streaming in Node.JS and is among NPM’s most popular packages. In November 2018, it was discovered that a new dependency had been introduced to the code, to a package called flatmap-stream. The code’s ultimate function is to steal credentials for any Copay application that can be found on the system, and ultimately any cryptocurrency contained therein.
The exploit is not tracked in the NVD, as event-stream seems to have been compromised by a more human type of flaw. The user behind the attacks, who goes by Right9ctrl, was able to gain full ownership of the package after gaining the original author’s trust. The malicious dependence was added almost immediately on the transfer of ownership. Right9ctrl’s user page has disappeared from GitHub and the malicious versions of event-stream have been taken down.
4: jQuery’s Eight-Year Zero-Day
Reference: CVE-2018-9206
Disclosed: October 2018 by security researchers; 2015 or earlier by hackers.
Type of exploit: Arbitrary file upload
Security researcher Larry Cashdollar, working together with developer Sebastian Tschan, discovered a vulnerability in a jQuery plugin and published a proof of concept in October. The flaw allows attackers to upload arbitrary files on vulnerable web servers. This includes code packages, which could lead to malware distribution, sensitive data exposure or website takeover.
While the consequences of this vulnerability are severe enough in themselves, what is alarming is that the flaw is roughly eight years old. First introduced by the 2.3.9 Apache update in 2010, the flaw went unaddressed until its discovery in 2018. That is to say, unaddressed by security professionals. YouTube tutorials for hackers to exploit the flaw had been uploaded as far back as 2015. It’s likely that more secretive hacking circles were aware of the vulnerability even earlier.
3: “Memcrashed” DDoS Attacks
Reference: CVE-2018-1000115
Disclosed: February 2018
Type of exploit: Amplified DDoS
In February 2018, online code repository GitHub was hit by the largest DDoS attack in history, peaking at 1.35 terabytes per second. This record was not even held for a week, as days later NETSCOUT Arbor confirmed a new DDoS attack that hit 1.7 tbps. Both these attacks abused the open source memory caching protocol, Memcached.
Memcached is designed to handle high-volume traffic. If an attacker has access to IP spoofing and a vulnerable user datagram protocol (UDP) server, they can exploit this to vastly boost the power of their DDoS attack. These amplified DDoS attacks using the Memcached protocol soon became known as “Memcrashed” attacks. This particular exploit has a happy ending, however. In March, security professionals discovered it was possibly to completely thwart Memcrashed attacks by sending a “flush all” command back to the attacking server.
2: Apache Struts targeted again…and again
References: CVE-2017-5638 and CVE-2018-11776
Disclosed: March 2017 and August 2018
Type of exploit: Cryptojacking and botnet expansion
2018 has been a year of both old and new for the open source Apache Struts framework. The name gained unfortunate notoriety in 2017 when it was determined the Equifax breach was due to a failure to apply security updates fixing the arbitrary code execution vulnerability. Despite the age of the flaw, the Mirai botnet that surfaced around September 2018 targeted this same vulnerability, as well as more in Apache Struts and other open source libraries.
August saw an entirely new remote code execution vulnerability as well… Proof of Concept code for exploiting the flaw surfaced almost immediately on disclosure, and the first serious attack campaign began within days. Attackers were observed attempting to exploit the flaw to deliver cryptomining malware to targeted systems.
1: Drupalgeddon 2 and 3
References: CVE-2018-7600 and CVE-2018-7602
Disclosed: March and April 2018
Type of exploit: Privilege escalation, remote code execution, cryptojacking malware delivery
2014’s Drupageddon (the name retroactively changed to “Drupalgeddon” later on) was a severe and damaging SQL injection flaw. It was so widespread on the platform that by the time the Drupal team patched it, they told users that if they did not patch within 7 hours, their sites should be assumed compromised. In 2018, a slightly different form of Drupalgeddon resurfaced twice; these two new vulnerabilities are known as Drupalgeddon 2 and Drupalgeddon 3.
Drupalgeddon 2 is a remote code execution flaw affecting default or common Drupal configurations. Although Drupal released a security update soon after discovery, hackers targeted unpatched Drupal installations to exploit this vulnerability. Drupalgeddon 2 and the above-mentioned Dirty COW became a two-pronged privilege escalation attack. Later in the year, Drupalgeddon 3, a subtly different RCE flaw, was exploited to spread Monero-mining malware.
The simple lesson to learn from all these open source flaws is to first understand where you use open source software; and then make sure any and all patches are applied as soon as possible.
Latest news and insights on AI and Machine Learning for application security testing, web, mobile and IoT security vulnerabilities, and application penetration testing. 
