Trellix streamlines the process of addressing open source weaknesses on a large scale. To date, over 61,000 vulnerabilities have been remediated and
Trellix has successfully rectified more than 61,000 open source ventures that were affected by a critical Python flaw. This was accomplished using an automated instrument that significantly sped up the procedure.
In the previous year, the team at the Trellix Advanced Research Center inadvertently discovered a vulnerability that has been present for 15 years in the tarfile module of Python. Identified as CVE-2007-4559, this vulnerability is characterized as a path traversal problem which allows “user-assisted remote attackers” to replace any file through the use of “a .. (dot dot) sequence in filenames in a TAR archive”.
BACKGROUND: The tarfile path traversal bug from 2007 continues to plague 350,000 open source repositories.
Douglas McKee, a researcher at Trellix, stated that a security glitch reported in 2017 was unfortunately overlooked or left untreated. Consequently, this oversight led to the flaw being inadvertently incorporated into roughly 350,000 open-source projects. It is also deemed to be widespread in numerous proprietary projects.
Nonetheless, as noted in a blog entry from January 23, Trellix has been collaborating with GitHub to manage the defect – a challenging task given the number of susceptible projects.
“The cybersecurity firm states that the susceptible tarfile module, which comes as part of the standard Python package, is deeply ingrained in the supply chain of numerous projects, and without a direct resolution from Python, it remains a serious concern.”
The project, which spanned several months, was spearheaded by Kasimir Schulz and Charles McFarland. It focused on the auto-updating of open-source repositories that housed potentially susceptible code.
Mass Pull Request Strategy
Evidently, the concept was sparked by Jonathan Leitschuh’s talk at DEFCON 2022, where he explored the use of automated mass pull request production as an efficient approach to patch vulnerabilities found in open source software.
Trellix and GitHub divided the procedure into two stages, both were mechanized and only needed implementation, with the responsibility of quality assurance – and approval – falling on the shoulders of project owners.
The initial move was to create the patch. Trellix procured a catalogue of repositories and files that included the keyword “import tarfile”. Afterward, each repository was duplicated and scrutinized using Creosote.
“When we identified a vulnerability in a repository, we rectified it and developed a local patch diff that included the corrected file. This way, users can conveniently compare the original and amended files, along with some repository-related metadata,” elucidated McKee.
ASSOCIATED Fixing widespread weaknesses on a large scale: initiative guarantees mass pull requests
During the stage of making pull requests, the cyber defense squad developed forks of the repository, duplicated them, and then replaced the initial file with the corrected variant if there had been no alterations to the original file. This verification was put into effect to guarantee that the patched substitute did not overlook or overwrite any new enhancements to the code of the project.
In the end, the document was finalized, a request for pulling was created, and a note was dispatched detailing the split and requesting the proprietor to either approve or deny the modifications.
In a conversation with The Daily Swig, Kasimir Schulz, who works as a vulnerability researcher at Trellix’s Advanced Research Center, shared that Creosote and the patcher can collectively carry out repository scans, identify the glitch, and implement a patch all in a few seconds. This is a task that, without the aid of these tools, could take even the most proficient coder a few minutes to accomplish.
“Schulz pointed out that while this discrepancy may not be significant for a few repositories, it becomes increasingly noticeable as the scale goes up,”
The Trellix team has successfully updated 61,895 open-source projects so far, using GitHub as their platform.
Schulz indicated that the latest dialogues at ShmooCon have sparked a “fresh surge” of interest in correcting the flaw within Python directly. There might even be a chance of a monetary incentive being put forward in exchange for a solution.
Schulz’s final statement was: “The intricacy of software and supply chains is continuously increasing. The number of individuals and businesses creating a variety of software is also growing. As a result, attempting to minimize the areas vulnerable to attacks seems like a futile effort. Rather than engaging in an unwinnable fight, we should concentrate on scrutinizing our own supply chains using automated tools, and focus on fortifying against attacks instead of wasting time.”
