A 15-year-old vulnerability in the Python programming language is making headlines again as new research shows that the vulnerability is estimated to be present in over 350,000 open source projects and some closed source projects, according to the Trellix Advanced Research Center.
The vulnerability, tracked as CVE-2007-4559, exists in the Python tarfile module, a default module in any project using Python and found in frameworks created by Netflix, AWS, Intel, Facebook, and Google, as well as applications used for machine learning, automation, and docker containerization.
Trellix says "the vulnerability can be exploited by uploading a malicious file generated with two or three lines of simple code and allows attackers arbitrary code execution, or control of a target device."
Christiaan Beek, Head of Adversarial and Vulnerability Research at Trellix, discussed the findings:
"When we talk about supply chain threats, we typically refer to cyber-attacks like the SolarWinds incident, however, building on top of weak code-foundations can have an equally severe impact.
This vulnerability's pervasiveness is furthered by industry tutorials and online materials propagating its incorrect usage. It's critical for developers to be educated on all layers of the technology stack to properly prevent the reintroduction of past attack surfaces."
Trellix notes that open source tools like Python are necessary to advance innovation, but protection of these tools requires industry-wide collaboration.
Josh Kocher, Adversarial Engineer at LARES Consulting, shared similar thoughts as he discussed the vulnerability with SecureWorld News:
"Projects need to be vigilant and mindful of library dependencies, keep abreast of security vulnerabilities in these libraries, and apply appropriate mitigations or updates to resolve these issues.
Vulnerabilities found in libraries can often be far reaching in their impact due to the number of projects that may make use of them and, as seen with CVE-2007-4559, these vulnerabilities can exist in projects long after the vulnerability has been discovered.
Supply chain issues such as these arise due to an implicit trust in libraries being secure and correctly implemented, however, developers should instead treat these libraries as untrusted, ensure input to them is sanitized and that all error conditions are handled appropriately."
But, despite the supply chain concerns, are threat actors really going to be exploiting the vulnerability 15 years after it was discovered? Mike Parkin, Senior Technical Engineer at Vulcan Cyber, thinks this vulnerability might be past its prime:
"The library is widely used and there are ways to abuse intended functionality with it, but it's unclear if anything in the original assessment has changed. One has to think that after 15 years, if attackers were going to leverage a known issue, they'd have done so by now."
A free tool for developers to check if their applications are vulnerable is available on Trellix Advanced Research Center’s GitHub.
Additional information regarding CVE-2007-4559 can be found in Trellix's technical blog post, Tarfile: Exploiting the World with a 15-Year-Old Vulnerability.
