The risks of undermanaged open source tools and libraries

Most of the largest web applications use scripts and third-party codes/libraries that make them potential targets for adversaries interested in exfiltrating data, skimming credit cards, and executing other malicious actions.

Organizations can pose increasingly vulnerable to using third-party libraries and scripts in web applications than they think. SDLC experiences verify that larger code sizes and distributed application architectures result in increased exploitable vulnerabilities in the codebase. Moreover, It also means that the high number of open-sourced or third-party dependencies increases vulnerabilities and makes them more exploitable for every single organization. Today’s applications are inherited by tons of third-party parts fetched from public or private repos.

The reuse of code has major benefits reducing development time, cost, and compatibility that allow developers to develop code faster, but also creating major cyber security risks like exploitable software vulnerabilities in their codebase due to dependencies that are often hard to find. Real-world attacks have been demonstrated more than once like HeartBleed vulnerability in OpenSSL, Shellshock in GNU Bash, and several deserialization vulnerabilities exploitations are memorable examples. These examples verify where developers reuse libraries and scripts that contain unpatched vulnerabilities in production applications. Never assume they are always reliable. Most security researchers estimate that more than 80% of applications have at least one known software vulnerability. Gartner says 99% of vulnerabilities exploited will be ones known by cyber security teams for at least one year.

Typically, when an application calls a third-party script, it is executed directly from a browser to an external source or the copied version may be running locally. In both cases, the code/script bypasses security controls such as WAF or other tools. It will not be known until it becomes weaponized in an attack. This compounding the problem allows dependency on using open-source and free scripts in a wide range of applications. In most cases, adversaries remain focused on data exfiltration that intercepts (MiTM) and captures sensitive data from third parties. One great example was magecart in the past, an adversary exfiltrated data on millions of credit card data by using card-skimming tools into third-party scripts on retail websites. British Airways' was another example that ended up with more than 380,000 customers' data leaked.

Risks to your CI/CD pipeline

The limited knowledge of open-source projects and third-party tools/scripts compounds the problem, increasing imminent risks that pose an ever-changing vulnerability ecosystem. We should encourage training in secure coding and understanding the risks in vulnerabilities and threat mechanisms that are still possible and that they may come from anywhere. That means we need processes and tooling to assist with secure coding from day one in CI/CD pipeline.

CI/CD platforms have various dependencies and configurations, attackers can easily exploit seemingly secure resources by using publicly known exploitable vulnerabilities and simply cripple the entire application environment. More importantly, attackers may exploit the trust relationship between code repositories and applications to make changes in the code like Sunburst attacks.

Any organization needs to identify open-source risks that are critical to the supply chain risks and prevent those risks continuously as possible. Finally, the number of people and tools you can trust in this regard is very limited, so you have to take these things very seriously. 

Disclaimer

The information provided in the Arcane Security Advisory is provided "as is" without warranty of any kind. Arcane disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Arcane or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits, or special damages, even if Arcane or its suppliers have been advised of the possibility of such damages.

Tags: #opensource #appsec #synk